All: add CSP exceptions for remote images

[timmywil]

Add CSP exceptions for images loaded on the following pages:

https://blog.jquery.com/category/events/
https://blog.jquery.com/category/foundation/
https://blog.jquery.com/category/projects/
https://blog.jquery.com/category/weekly-news/

Ref jquery/infrastructure-puppet#54
Closes gh-10

[Krinkle]

If it's okay with you, I'd like to import and self-host into the blog these images.

At least the ones from imgur.com and twimg.com (which are prone to deletion these days). I'd backfill from Internet Archive for any that are already gone.

Feel free to roll this out as-is either way, we can reduce it later.

[Krinkle]

I've edited a handful of posts, and downloaded the file, and attached it files directly instead. E.g. https://i.imgur.com/Fof2lcP.gif on https://blog.jquery.com/2015/04/21/announcing-pep-0-3-0/.

For twimg, the URLs were already broken, so those I downloaded from the Internet Archive instead, e.g. http://a3.twimg.com/profile_images/927486315/Ralph_web_reasonably_small.jpg and http://a3.twimg.com/profile_images/1130303999/rey2_reasonably_small.png.

imgur

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%imgur%';
+------+----------------------+-------------+----------------------+--------------------------------+
| ID   | post_title           | post_status | post_name            | guid                           |
+------+----------------------+-------------+----------------------+--------------------------------+
| 1642 | jQuery 1.7 Released  | publish     | jquery-1-7-released  | http://blog.jquery.com/?p=1642 |
| 3735 | Announcing PEP 0.3.0 | publish     | announcing-pep-0-3-0 | http://blog.jquery.com/?p=3735 |
+------+----------------------+-------------+----------------------+--------------------------------+
2 rows in set (0.032 sec)

MariaDB [wordpress_jqueryui]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%imgur%';
Empty set (0.024 sec)

MariaDB [wordpress_jquerymobile]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%imgur%';
Empty set (0.047 sec)

After

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%imgur%';
Empty set (0.045 sec)

twimg

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%twimg%';
+------+--------------------------------------------+-------------+-------------------------------------------+--------------------------------+
| ID   | post_title                                 | post_status | post_name                                 | guid                           |
+------+--------------------------------------------+-------------+-------------------------------------------+--------------------------------+
|  965 | jQuery Community Updates For November 2010 | publish     | jquery-community-updates-november2010     | http://blog.jquery.com/?p=965  |
| 1030 | Team Spotlight: The jQuery Bug Triage Team | publish     | team-spotlight-the-jquery-bug-triage-team | http://blog.jquery.com/?p=1030 |
+------+--------------------------------------------+-------------+-------------------------------------------+--------------------------------+
2 rows in set (0.040 sec)

MariaDB [wordpress_jqueryui]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%twimg%';
Empty set (0.020 sec)

MariaDB [wordpress_jquerymobile]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%twimg%';
Empty set (0.057 sec)

After

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,post_name,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%twimg%';
Empty set (0.042 sec)

[Krinkle]

For events.jquery.org, those images will be broken either way, since that domain is generic redirect now. There's only 6 posts.

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%events.jquery.org%' AND post_content RLIKE 'src="[^"]+events.jquery.org';
+------+-----------------------------------------------------+-------------+--------------------------------+
| ID   | post_title                                          | post_status | guid                           |
+------+-----------------------------------------------------+-------------+--------------------------------+
| 2805 | jQuery Portland Update                              | publish     | http://blog.jquery.com/?p=2805 |
| 3024 | jQuery Heads to Austin                              | publish     | http://blog.jquery.com/?p=3024 |
| 3101 | jQuery Conference Set to Roost in San Diego         | publish     | http://blog.jquery.com/?p=3101 |
| 3317 | jQuery San Diego is in Three Weeks From Today ? Go! | publish     | http://blog.jquery.com/?p=3317 |
| 3439 | jQuery Chicago Pebble Giveaway and Filing Extension | publish     | http://blog.jquery.com/?p=3439 |
| 3495 | jQuery Chicago Roundup!                             | publish     | http://blog.jquery.com/?p=3495 |
+------+-----------------------------------------------------+-------------+--------------------------------+
6 rows in set (0.035 sec)

> use wordpress_jqueryui
MariaDB [wordpress_jqueryui]> SELECT ID,post_title,post_status,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%events.jquery.org%' AND post_content RLIKE 'src="[^"]+events.jquery.org';
Empty set (0.022 sec)

> use wordpress_jquerymobile
MariaDB [wordpress_jquerymobile]> SELECT ID,post_title,post_status,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%events.jquery.org%' AND post_content RLIKE 'src="[^"]+events.jquery.org';
Empty set (0.063 sec)

[timmywil]

For the images from events.jquery.org, we could probably find them in the web archive.

[Krinkle]

For cloudfront.net, there was only one post (https://blog.jquery.com/2014/04/15/jquery-chicago-pebble-giveaway-and-filing-extension/). It embedded the Pebble logo, which had also gone 404 since. The post also contained an image from events.jquery.org. I've restored both via the Internet Archive.

For gruntjs.com, there was also only one post. That image had moved, and thus was also broken either way. Restored from an archive capture around the same time. https://blog.jquery.com/2015/11/19/grunt-rebooted/, http://gruntjs.com/img/grunt-logo.png

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,guid FROM wp_posts WHERE post_status='publish' AND post_content LIKE '%cloudfront.net%';
+------+-----------------------------------------------------+-------------+--------------------------------+
| ID   | post_title                                          | post_status | guid                           |
+------+-----------------------------------------------------+-------------+--------------------------------+
| 3439 | jQuery Chicago Pebble Giveaway and Filing Extension | publish     | http://blog.jquery.com/?p=3439 |
+------+-----------------------------------------------------+-------------+--------------------------------+
1 row in set (0.033 sec)

MariaDB [wordpress_jquery]> SELECT ID,post_title,post_status,guid FROM wp_posts WHERE post_status='publish' AND post_content RLIKE 'src="[^"]+gruntjs.com';
+------+-----------------+-------------+--------------------------------+
| ID   | post_title      | post_status | guid                           |
+------+-----------------+-------------+--------------------------------+
| 3901 | Grunt, Rebooted | publish     | http://blog.jquery.com/?p=3901 |
+------+-----------------+-------------+--------------------------------+
1 row in set (0.032 sec)

[Krinkle]

I couldn't find any posts embedding URLs from openjsf.org. Do you have an example of a CSP report for that one? Or did you fix that one already?

[timmywil]

That was from the redirect. I knew it would 404, but I wanted to remove the CSP reports.

[timmywil]

There's still some posts on https://blog.jquery.com/category/events/ with some events.jquery.org images we could get from the archive. I'll do that now.

[Krinkle]

That was from the redirect. I knew it would 404, but I wanted to remove the CSP reports.

Right, from events.jquery.org. Makes sense!

[timmywil]

I think we took care of all of them and this PR is now unnecessary. Thanks!