We'll be adding cross-wiki/global Echo notifications. We'd like a security review of the specific mechanism we choose for this (not yet implemented).
We expect this to be next quarter.
We'll be adding cross-wiki/global Echo notifications. We'd like a security review of the specific mechanism we choose for this (not yet implemented).
We expect this to be next quarter.
I'd like to get started on this review this week, but I don't see enough information on this phab ticket. Could someone update the description of this phab ticket with the information noted at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review?
I briefly mentioned this (or at least something highly related to this) to @csteipp this morning. The relevant patch is https://gerrit.wikimedia.org/r/#/c/284677/ . It changes the way cross-wiki notifications are retrieved.
Currently, the API response from the server contains a list of foreign wikis where the user has notifications, and their API URLs. The client then makes cross-domain AJAX requests to these other wikis to retrieve notifications from each wiki.
With this patch, the API response from the server will still contain a list of wikis, but the client will now send an API request to the local wiki with a parameter like ?wikis=frwiki|dewiki|commonswiki . The server then uses curl_multi to make API requests to those wikis in parallel, gathers the results, and sends them to the client.
The benefit of using server-side fan-out instead of client-side fan-out is that we avoid problems with cross-domain AJAX requests: we've had issues with ad blockers, Privacy Badger and IE's privacy features thinking these requests are evil trackers and blocking them. (It's not obvious to software that *.wiktionary.org domains are not third-party domains.)
@dpatrick, heads up, collaboration would like to merge gerrit 284677 before the branch cut next Tuesday. Ping me if you need help getting that finished!
Given how close to the cut we are now, let's aim to get this into the next cut instead, but with plenty of time on beta labs before that, so merging on Wednesday or Thursday. If this misses the next cut, we will have to push back a publicly announced release date.
@Catrope, really sorry this is late. I've looked through https://gerrit.wikimedia.org/r/#/c/284677 and it looks ok. I'm fine if your team pushes this today.
Thanks. I won't merge it this close to the cut because I'm concerned it needs proxy settings for curls to FQDNs like de.wikipedia.org to work on the cluster, but we'll merge it right after the cut, test in labs, and either cherry-pick it later this week or let it ride the next train.
We've just merged it, and it'll go in next week's train. Thanks for the security review!