Page MenuHomePhabricator

Privacy Badger interferes with CentralAuth
Closed, ResolvedPublic

Description

EFF recently launched a new extension called Privacy Badger which blocks cross-domain cookies that are used to log in the user to all Wikimedia sites at once:

Event Timeline

Tgr created this task.Aug 9 2015, 7:26 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a subscriber: Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 9 2015, 7:26 AM

Thanks for noticing that @Tgr.

I just installed Privacy Badger, and it's not blocking anything yet-- are you seeing it block either of:

  • The call to Special:CentralAutoLogin/checkLoggedIn (whenever you hit a wiki unauthenticated)
  • The top-level redirect setting the cookie for loginwiki

If so, then we've got problems. Otherwise users with PB will get the same experience as anyone who has 3rd-party cookies disabled.

Tgr added a comment.EditedAug 10 2015, 10:50 PM

You need to log in and out a few times on different wikis. The extension keeps track of seeing the same cookie or script when the user visits different domains, and starts blocking after a certain limit.

After using it a while, autologin across second-level domains is sometimes broken but manual login always works. (Is that what you meant by the 3rd-party-cookies-disabled experience?)

login.wikimedia.org sometimes appears on the yellow setting (cookies blocked, scripts not blocked), most of the time it's not listed at all.

I spoke to Cooper Quintin (the author of Privacy Badger) today, and as a result of our conversation I filed a bug requesting the addition of a list of domain groups. We could then ask for *.wikipedia.org, *.wiktionary.org, *.wikisource.org, etc. to all be in the same group, so that Privacy Badger won't block requests between these domains by default.

AuFCL added a subscriber: AuFCL.Mar 21 2016, 7:50 AM
Johan added a subscriber: Johan.Mar 23 2016, 11:24 AM
AuFCL removed a subscriber: AuFCL.Nov 21 2016, 7:34 PM
Jcross added a subscriber: Jcross.Feb 24 2020, 7:46 PM

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Tgr added a comment.Feb 24 2020, 8:48 PM

Thanks to @Catrope raising this upstream, there's now a whitelist for Wikimedia domains, so unless we think something is missing from it, this task can be resolved.

JFishback_WMF moved this task from Intake to Backlog on the Privacy board.
JFishback_WMF closed this task as Resolved.Mar 10 2020, 1:07 AM
JFishback_WMF claimed this task.