Help talk:Toolforge/Web/Archives/2022

We are running the https://scholia.toolforge.org and look at the associated CSP report at https://csp-report.toolforge.org/search?ft=scholia&p=1. We are aware of the issue for doi.org, but the other sites, e..g, fonts.gstatic.com and use.typekit.net we are not aware why they show up. We are using Bootstrap and some other third-party libraries. When I F12 in Firefox, I do not see these domains. When I grep in our assets directory I cannot find them. Are these log entries artifacts? — Finn Årup Nielsen (fnielsen) (talk) 17:45, 30 March 2022 (UTC)Reply

I cannot recreate requests from scholia for sites like fonts.gstatic.com either. Looking at the reports in the CSP portal and the total traffic to the tool in the last 14 days (https://toolviews.toolforge.org/api/v1/tool/scholia/daily/2022-03-15/2022-03-30), I have a hunch that you have a few users (or maybe even just one heavy user) who have browser add-ons/extensions installed which request content from common CDNs as part of their implementation. This is a common cause of false positive CSP report data. Browsers typically do not isolate traffic driven by the page's content from traffic driven by other configuration in the browser itself when applying and reporting CSP restrictions.

If your tool was actively using resources from third-party CDNs I would expect to see a lot more than the ~1000 reported violations compared to the ~1.5M HTTP requests the tool has handled in the reporting period. -- BryanDavis (talk) 19:49, 30 March 2022 (UTC)Reply

Thanks! I also came to think that it could be add-ons. — Finn Årup Nielsen (fnielsen) (talk) 16:34, 6 April 2022 (UTC)Reply