BUG: OpenRefine reconciliation preview is broken because Aleph does not permit page embedding

[brawer]

When reconciling custom data against Aleph with OpenRefine, the preview tab is broken. OpenRefine seems to display reconciliation candidates with an embedded iframe. However, modern browsers require that the embedded page (in this case, Aleph’s entity preview) sends an HTTP header that explicitly permits embedding; see HTTP Content Security Policy. Because Aleph doesn’t send this HTTP header, OpenRefine reconciliation against Aleph is currently very cumbersome and slow.

To Reproduce

1. Use OpenRefine to reconcile a set of names against an Aleph dataset such as the Swiss company register.
2. Hover over any reconciliation candidate.
3. Instead of an entity preview panel, OpenRefine (respectively the browser) shows an error message about a Content Security Policy violation: Because aleph.occrp.org does not allow embedding its page as an iframe, the content cannot be displayed.

Expected behavior
OpenRefine should display an entity preview panel fetched from aleph.occrp.org.

Aleph version
July 31, 2023

Screenshots

Additional context

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

I used Firefox, but the same problem also happens with Chrome. In the past, users could have disabled CSP to work around this. However, to improve web security, browsers have made CSP mandatory and do not allow disabling it anymore.

[tillprochaska]

Hi @brawer, thanks for reporting this. This is intended behavior in order to prevent a class of security issues to Aleph being embedded in iframes on third-party sites.

However, I can see how this is a problem for this particular use case, especially given that Aleph already provides an OpenRefine endpoint. We’ll have to take a closer look.

Slightly off-topic: I would be interested to hear more about how you use the OpenRefine endpoint. The OpenRefine feature doesn’t get a lot of usage, and I’d like to learn more about use cases for it. If you can share some details about your use case (either here on GitHub or privately via firstname.lastname[at]occrp.org) that would be super interesting.

[tillprochaska]

127.0.0.1:3333 is the default host and port for OpenRefine, right?

[brawer]

Slightly off-topic: I would be interested to hear more about how you use the OpenRefine endpoint

For a research project, I’m trying to clean up small-scale procurements in Switzerland. Eventually, once the project is done, it would be nice to publish the data in Aleph and similar analysis tools. Unfortunately, the upstream dataset does not supply company IDs. To assign them, reconciliation with OpenRefine and Aleph’s OpenRefine endpoint seems like a convenient and fast way.

[tillprochaska]

Hi @brawer, thanks for the additional information, that is very helpful. I’m currently considering to add http://localhost:3333 as an allowed frame ancestor, but will still need to double check that adding a local origin actually works as expected. Also, it will likely take some time until it ends up in a release and is deployed on aleph.occrp.org.