Page MenuHomeMiraheze

CSP whitelist openagenda.com
Closed, DeclinedPublic

Description

I am trying to add an OpenAgenda iframe on my wiki. Here is an help page in French you might be able to retrieve in English (I cannot as I am always redirected to the French one) : https://openagenda.zendesk.com/hc/fr/articles/212801065-Widget-d-aper%C3%A7u

I have created a widget here https://zw.fontainebleau-avon.fr/wiki/Widget:OpenAgenda that I call on the Homepage {{#widget:OpenAgenda}}

I do see the frame on the Homepage (which is above the maps) but it does not display the inside that should be : https://openagenda.com/agendas/25554071/embeds/56281713/events?lang=fr

Below is a part of the chat between RhinosF1 and me on IRC on November 30th, 2019 :

<RhinosF1> Does anything show in the developer console?
<Kevin77300> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://openagenda.com/js/embed/cibulBodyWidget.js (« default-src »).
<Kevin77300> Which can be translated into : the parameters of the page prevented to load a resource in http://...
<RhinosF1> Kevin77300: looks like it's (intentionally) been blocked. You'll need to request a CSP exemption on Phabricator
<RhinosF1> Or get it whitelisting

Another solution would be adding the <div> only and not the iframe, but I'm not good enough to troubleshoot this.

Can you help me on this topic ?

Event Timeline

Below is the <div> displayed here that would work for me : https://openagenda.zendesk.com/hc/fr/articles/212801065-Widget-d-aper%C3%A7u

<div class="oa-preview cbpgpr" data-oapr data-cbctl="25554071|fr"> 
<a href="https://openagenda.com/agendas/25554071">Voir l'agenda</a> 
</div><script src="//openagenda.com/js/embed/oaPreviewWidget.js"></script>

The thing is that I don't know how to embed this anyway

In my personal opinion before we whitelist any domain that is not operated by a well known entity to use iframes we should have a security review.

@LakesideMiners : To answer your question, yes MobileFrontend Extension is being used.

@Zppix : Is there a chance to display information in a different way than iframes ?

Reception123 renamed this task from Whitelist openagenda.com to CSP whitelist openagenda.com.Jan 11 2020, 09:13
Reception123 edited projects, added Technology-Team; removed Configuration.

Sorry for the delay in responding. Is this still needed?

Reception123 claimed this task.

No response in a week (and no recent wiki activity). Again, I am really sorry that this request was not looked at before, and we are working on a way to improve response times on Phabricator. Please reopen this task if this is indeed still needed.