Page MenuHomeMiraheze

Widgets are broken (private wiki)
Closed, ResolvedPublic

Description

(It involves private wiki. That's why I report here.)

You could see the Google sheet (using the widget) fails to load.
Other sites which use widgets work.
There might be some configuration issues. Please check.
Thank you.

Extension:Widgets
https://www.mediawiki.org/wiki/Extension:Widgets

Widget extensions have other widgets too.
https://www.mediawiki.org/wiki/Extension:Widgets#Widget_library

We use YouTube, Facebook, Google Maps, Google Docs, Google Presentation too.

Event Timeline

Oh, sorry it's our iframe whitelist. Will add it to that.

Got it wrong again, "Refused to load http://docs.google.com/spreadsheet/ccc?key=1DiubyV7720n3q1PX38uhQenYYaurv_SLrZZ6VeLPui4&usp=sharing because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy."

it's the child-src of the CSP

Widget extensions have other widgets too.
https://www.mediawiki.org/wiki/Extension:Widgets#Widget_library

We use YouTube, Facebook, Google Maps, Google Docs, Google Presentation too.

Reception123 lowered the priority of this task from High to Normal.Dec 19 2019, 16:08

@Revival So which sites would you like added to the CSP?

@Revival So which sites would you like added to the CSP?

Currently they are:

  • YouTube
  • Facebook
  • Google Maps
  • Google Docs
  • Google Spreadsheet
  • Google Spreadsheet Form
  • Google Presentation

Thank you.

Reception123 claimed this task.

Really sorry for the delay, I've added Facebook to the CSP and the rest were already there.

Unfortunately widgets are still broken.
Please check email. The link of the test page is sent. Thank you.

@Revival In order to fix this you need to edit https://inforevival.miraheze.org/wiki/Widget:Google_Spreadsheet and replace all mentions of "http" with "https"

@Reception123 Edits are made but widgets are still broken. See the test page. Thank you.

@Revival It says "We're sorry. This document is not published." this means you need to publish the document with Google Spreedsheets and is not an issue caused by us or the widget.

@Reception123 The error message is wrong. The document is actually published and publicly viewable. Direct link has been provided. You could check it yourself.

Google has many domains, for example:
google.co.uk
google.com.hk

Perhaps you should whitelist all of them, shouldn't you?

If I get it right, it just whitelist *.google.com, but not google.co.uk, google.com.hk, googleusercontent.com etc.

If I get it right, it just whitelist *.google.com, but not google.co.uk, google.com.hk, googleusercontent.com etc.

I'm not sure why you would need that added, because Google Spredsheets should be on .com

If I get it right, it just whitelist *.google.com, but not google.co.uk, google.com.hk, googleusercontent.com etc.

I'm not sure why you would need that added, because Google Spredsheets should be on .com

googleusercontent.com is useful to display images and photos stored in Google Drive. Currently all those images are broken.

Google has other services, like Google Forms, Google Maps, Google Docs, Google Presentation.

I wonder whether Google loaded something or some scripts from other of its domains. That's might be the reason why the widget failed to load the spreadsheets (which are actually published and publicly viewable).

I'm not sure if the above whitelist supports regex. It would be easy to whitelist all Google domains by regex.

John changed the visibility from "Custom Policy" to "Public (No Login Required)".May 4 2020, 19:47
John changed the edit policy from "Custom Policy" to "All Users".

If I get it right, it just whitelist *.google.com, but not google.co.uk, google.com.hk, googleusercontent.com etc.

I'm not sure why you would need that added, because Google Spredsheets should be on .com

googleusercontent.com is useful to display images and photos stored in Google Drive. Currently all those images are broken.

Google has other services, like Google Forms, Google Maps, Google Docs, Google Presentation.

I wonder whether Google loaded something or some scripts from other of its domains. That's might be the reason why the widget failed to load the spreadsheets (which are actually published and publicly viewable).

I'm not sure if the above whitelist supports regex. It would be easy to whitelist all Google domains by regex.

I don't think so, since it'll bloat CSP (which takes wildcards only).

We found a workaround.