Page MenuHomePhabricator

Privacy Badger interferes with CentralAuth
Closed, ResolvedPublic

Description

EFF recently launched a new extension called Privacy Badger which blocks cross-domain cookies that are used to log in the user to all Wikimedia sites at once:

privacy badger centralauth.png (876×1 px, 378 KB)

Event Timeline

Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a subscriber: Tgr.

Thanks for noticing that @Tgr.

I just installed Privacy Badger, and it's not blocking anything yet-- are you seeing it block either of:

  • The call to Special:CentralAutoLogin/checkLoggedIn (whenever you hit a wiki unauthenticated)
  • The top-level redirect setting the cookie for loginwiki

If so, then we've got problems. Otherwise users with PB will get the same experience as anyone who has 3rd-party cookies disabled.

You need to log in and out a few times on different wikis. The extension keeps track of seeing the same cookie or script when the user visits different domains, and starts blocking after a certain limit.

After using it a while, autologin across second-level domains is sometimes broken but manual login always works. (Is that what you meant by the 3rd-party-cookies-disabled experience?)

login.wikimedia.org sometimes appears on the yellow setting (cookies blocked, scripts not blocked), most of the time it's not listed at all.

I spoke to Cooper Quintin (the author of Privacy Badger) today, and as a result of our conversation I filed a bug requesting the addition of a list of domain groups. We could then ask for *.wikipedia.org, *.wiktionary.org, *.wikisource.org, etc. to all be in the same group, so that Privacy Badger won't block requests between these domains by default.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Thanks to @Catrope raising this upstream, there's now a whitelist for Wikimedia domains, so unless we think something is missing from it, this task can be resolved.

JFishback_WMF claimed this task.