[01:10:00] <legoktm>	 better late than never!
[01:20:06] <Platonides>	 oh, well
[15:24:46] <Reedy>	 !hss
[15:24:46] <wm-bot>	 https://upload.wikimedia.org/wikipedia/mediawiki/6/69/Hesaidsemanticga2.jpg
[15:26:30] <Vulpix>	 RIP
[15:26:57] <Reedy>	 yup
[15:28:29] <legoktm>	 Reedy, Vulpix: https://phabricator.wikimedia.org/T282006
[15:28:45] <Reedy>	 heh
[19:02:56] <ori>	 one of you has to pose for a recreation
[19:03:16] <ori>	 this has to be priority #1 at the next hackathon or whatever
[19:03:35] <Majavah>	 what was that image?
[19:05:33] <ori>	 https://i.postimg.cc/6pmBQc12/download.jpg
[21:45:23] <Reedy>	 !hss del
[21:45:24] <wm-bot>	 Successfully removed hss
[21:45:39] <Reedy>	 !hss is https://upload.wikimedia.org/wikipedia/labs/6/69/Hesaidsemanticga2.jpg
[21:45:39] <wm-bot>	 Key was added
[23:22:08] <John_Ivan>	 hi. I have enabled $wgAllowExternalImages. I am able to display inline a bunch of images only if they are local/using the internal images of the domain I'm using. I cannot link external images from other sites. Anything that can be done?
[23:22:31] <John_Ivan>	 I'm using direct urls.
[23:23:36] <John_Ivan>	 When linking to an external site, I just get back the name of the image as text. When I inspect the element, it says "image failed to load". 
[23:23:57] <John_Ivan>	 The image is indeed accessible. And attempting to "Reload Image" doesn't work.
[23:36:12] <bd808>	 John_Ivan: I wish I knew anything at all about that feature to help you debug. :/
[23:38:01] <bd808>	 When you say that you inspected the element, was the element an <img> tag or something else?
[23:38:38] <John_Ivan>	 bd808, it was an image.
[23:38:43] <John_Ivan>	 <img> tag *
[23:40:14] <bd808>	 ok, that's at least expected. :) Does the URL that you give in the wikitext source get changed somehow when it is placed in the <img> tag's src=... attribute? Or does nothing get placed in the src attribute?
[23:41:38] <John_Ivan>	 bd808, the src attribute displays the link.
[23:41:48] <Skizzerz>	 do you have an example image that is problematic?
[23:42:09] <John_Ivan>	 I do... but pretty much any image that isn't from the subdomain will not display.
[23:42:26] <John_Ivan>	 so for example, if I take the url to the image of my own mediawiki, it will display it. anything external, it won't.
[23:42:30] <Skizzerz>	 hmm. Is your wiki public?
[23:42:39] <John_Ivan>	 Skizzerz, private.
[23:42:43] <Skizzerz>	 ah
[23:43:27] <Skizzerz>	 can you take a look at what the Content Security Policy header looks like in your wiki's HTTP responses?
[23:45:15] <John_Ivan>	 it's rather big.
[23:45:24] <John_Ivan>	 content-security-policy
[23:45:25] <John_Ivan>	 	default-src 'self' blob: data: *.miraheze.org *.wikimedia.org *.wikipedia.org *.wikibooks.org *.wiktionary.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikinews.org *.wikivoyage.org *.mediawiki.org mediawiki.org *.wikidata.org wikidata.org *.wmflabs.org *.google.com *.gstatic.com *.addthis.com *.youtube.com *.youtube-nocookie.com maxcdn.bootstrapcdn.com twitter.com *.creativecommons.org images.uncyc.org 
[23:45:25] <John_Ivan>	 www.mikrodev.com *.reviservices.com *.twitter.com www.sciencedaily.com *.googleapis.com *.tw…dropboxstatic.com *.dropboxstatic.com disqus.com *.disqus.com *.nicovideo.jp lh3.googleusercontent.com db.onlinewebfonts.com wikiapiary.com *.vimeo.com *.googleusercontent.com *.imgbox.com www.gnu.org www.desmos.com z.moatads.com www.recaptcha.net snap.berkeley.edu *.netease.com openlayers.org wikiplus-app.com minotar.ne
[23:45:27] <John_Ivan>	 t *.tile.openstreetmap.org live.staticflickr.com *.pixabay.com cdn.geogebra.org docs.blender.org scratchblocks.github.io 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' *.miraheze.org
[23:45:28] <Skizzerz>	 yikes
[23:45:54] <John_Ivan>	 wait. is that the issue? it will only display images to these?
[23:45:59] <Skizzerz>	 yep
[23:46:04] <Skizzerz>	 you need an img-src * in there
[23:46:34] <John_Ivan>	 I can't run html I'm afraid, the page is in wikitext style.
[23:47:02] <Skizzerz>	 well, something in the webserver config is sending that over. Might be the wiki (configured in LocalSettings.php somewhere), or it may be something higher up in the webserver config
[23:47:35] <John_Ivan>	 I looked in the settings exposed in my wiki. didn't come across those domains.
[23:47:53] <Skizzerz>	 anyway, to test the theory, can you try hotlinking an external image from one of those domains listed in default-src?
[23:48:43] <Skizzerz>	 for example, https://www.mediawiki.org/static/images/footer/poweredby_mediawiki_88x31.png
[23:48:56] <John_Ivan>	 Skizzerz, tried it now. it works.
[23:49:00] <John_Ivan>	 tried it with https://wikiapiary.com/w/images/wikiapiary/thumb/5/5e/WikiApiary_Bee.png/128px-WikiApiary_Bee.png
[23:49:17] <Skizzerz>	 ok well at least we identified what the issue is :)
[23:49:25] <bd808>	 John_Ivan: https://www.mediawiki.org/wiki/Manual:$wgCSPHeader might help you
[23:50:54] <Skizzerz>	 John_Ivan: is your wiki on Mirahaze? If so, you will need to engage their staff in helping you fix this. It isn't something you'll likely be able to do yourself
[23:51:06] <Skizzerz>	 I'm just asking based on some of the things listed in the CSP header
[23:53:19] <John_Ivan>	 hmmmmmmmmmm. yeah it is on Mirahaze.
[23:53:35] <John_Ivan>	 and yeah, I don't find anything in the settings I get as a user
[23:54:00] <John_Ivan>	 Skizzerz, bd808 thanks. at least I know what the issue is now.
[23:54:01] <Skizzerz>	 I'd be surprised if it was exposed tbh, giving end user control over the CSP header is a security risk
[23:55:00] <John_Ivan>	 Guess I'll find a different wiki host.
[23:55:11] <Skizzerz>	 well try contacting their staff first
[23:55:15] <Skizzerz>	 they may be willing to help you out
[23:55:22] <bd808>	 John_Ivan: you may be able to request some additional hosts to be added to the allow list. See https://phabricator.miraheze.org/T4760 for an example.
[23:56:19] <bd808>	 https://phabricator.miraheze.org/T5092#102169 -- "We're going to go for an informal policy which is that each request is case by case and users must be able to explain why the whitelist is essential for the functioning of their wiki. The decision to add it to the CSP should be approved by 2 SRE members."
[23:56:26] <John_Ivan>	 Skizzerz, I go by a usecase mentality. certainly I'm not the only user who has encountered this issue before. and given that they haven't done anything to alleviate the issue, then it means it was a design choice and I don't want to waste time with "we unfortunately do not allow external images outside the domains listed"
[23:56:47] <John_Ivan>	 yeah. no.
[23:56:55] <John_Ivan>	 I'll try a different provider. :)
[23:57:48] <Skizzerz>	 well they've allow-listed a couple dozen domains, ostensibly for external images although they left it in default-src rather than img-src which is probably not a great idea security-wise
[23:59:08] <Skizzerz>	 anyway, if you really want to move and were just looking for an excuse to do so, don't let me stop you :)
[23:59:35] <John_Ivan>	 I just want to list a simple picture.
[23:59:45] <John_Ivan>	 I don't want to go through a bureaucratic system to do it.
[23:59:46] <John_Ivan>	 :P