Currently most Wikimedia wikis use protocol-relative URLs in $wgServer, which means that wfExpandUrl with PROTO_RELATIVE will expand to a protocol-relative URL. That does not make sense since we don't actually support HTTP anymore. For HTML snippets generated by some API with PROTO_RELATIVE (which is arguably the most correct choice for an API) and displayed on another site over an insecure connection, this will mean a performance hit (because of the extra redirect) and expose users to MITM.
|Open||None||T178357 Don't use protocol relative links to Commons in MultimediaViewer|
|Open||Tgr||T118413 Wikimedia wikis should use https:// in $wgServer|
- Mentioned In
- T233090: Should EditURI be calculated using the site's canonical protocol?
T178357: Don't use protocol relative links to Commons in MultimediaViewer
T156320: $wgServer with initial https:// does not force HTTPS (wgSecureLogin)
T138142: Media Viewer embed code breaks links to Wikipedias
T117082: Cached REST endpoint for extracts requests
- Mentioned Here
- T207073: Test wg(Canonical)Server
T54253: Protocol-relative URLs are poorly supported or unsupported by a number of HTTP clients
This task description says that "we don't actually support HTTP anymore" and @Bawolff said the same on IRC this evening. This statement feels misleading since we do support HTTP and will continue to do so indefinitely. Keeping the HTTP --> HTTPS redirects working means supporting HTTP, as far as I'm concerned.
To be pedantic, I mean we no longer support serving mediawiki traffic as HTTP, so we would not want to generate any urls using anything other than https, which is what $wgServer is controlling.
When the task was written, we still allowed HTTP POST to the API (since redirects don't work there) and that could cause problems with relative URLs. Now that HTTP is completely disallowed (not from the user's POV but in the sense that our MediaWiki servers will never receive one) relative URLs are less problematic, but they still require some work to turn into absolute URLs so replacing the relative URLs in the configuration would be a performance (micro)optimization, at least.