Page MenuHomePhabricator
Create Task
Maniphest T119570

Consider setting "Secure" on cookies that EFF HTTPS-Everywhere sets this on for us (tracking)
Open, MediumPublic
Actions

Description

HTTPS-Everywhere has some securecookie rules for WMF sites... I don't know if the "not secured by server" is necessarily correct, or was copied from elsewhere

https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Wikimedia.xml#L110-L120

	<!--	Not secured by server:
					-->
	<!--securecookie host="^\.wiki(books|data|mediafoundation|pedia|versity)\.org$" name="^GeoIP$" /-->
	<!--securecookie host="^(?:www\.)?wikidata\.org$" name="^WMF-Last-Access$" /-->
	<!--securecookie host="^en\.wikipedia\.org$" name="^(CentralAuthAnon|mediaWiki\.user\.sessionId|uls-previous-languages)$" /-->

	<securecookie host="^(?:www\.)?mediawiki\.org$" name=".+" />
	<securecookie host="^\.wik(?:ibooks|idata|imedia|imediafoundation|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org$" name="^GeoIP$" />
	<securecookie host="^(?:[^@:/]+\.)?wik(?:ibooks|idata|inews|ipedia|iquote|isource|iversity|ivoyage|tionary)\.org$" name=".+" />
	<securecookie host="^(?:species|commons|meta|incubator|wikitech)\.wikimedia\.org$" name=".+" />
	<securecookie host="^wikimediafoundation\.org$" name=".+" />

I'm presuming this would be more of a MW bug (ie the site is only HTTPS, and we're not setting the secure flag)... But either way, we should look at dealing with it :)

Related Objects
Search...

Event Timeline

Reedy created this task.Nov 24 2015, 10:20 PM
Reedy raised the priority of this task from to Needs Triage.
Reedy updated the task description. (Show Details)
Reedy added projects: HTTPS, WMF-General-or-Unknown, MediaWiki-General.
Reedy added subscribers: Reedy, csteipp.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 24 2015, 10:20 PM
Krenair subscribed.Nov 24 2015, 10:21 PM
csteipp added a comment.Nov 24 2015, 10:57 PM

As I put on irc, GeoIP and WMF-Last-Access are set from Varnish. sessionId is set from some javascript. They should probably all be set secure.

In general, all cookies from wmf sites can be set secure except the forceHTTPS cookie, which is intentionally set insecure so if we see it on plain http, we know we need to redirect the user.

Liuxinyu970226 set Security to None.Nov 29 2015, 10:32 AM
csteipp added a comment.Nov 30 2015, 10:06 PM

And some background on the rules from https://www.eff.org/https-everywhere/rulesets, for anyone who's trying to figure them out.

Secure Cookies

Many HTTPS websites fail to correctly set the secure flag on authentication and/or tracking cookies. HTTPS Everywhere provides a facility for turning this flag on. For instance:

<securecookie host="^market\.android\.com$" name=".+" />
The "host" parameter is a regexp specifying which domains should have their cookies secured; the "name" parameter is a regexp specifying which cookies should be secured. For a cookie to be secured, it must be sent by a target host for that ruleset. It must also be sent over HTTPS and match the name regexp. For cookies set by Javascript in a web page, the Firefox extension can't tell which host set the cookie and instead uses the domain attribute of the cookie to check against target hosts. A cookie whose domain attribute starts with a "." (the default, if not specified by Javascript) will be matched as if it was sent from a host name made by stripping the leading dot.

In general, the rules at https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Wikimedia.xml#L110-L120 look ok to me-- they won't harm anything.

I'd like to be more strict on the top-level cookies and match all cookies like you do for the subdomain, but the "forceHTTPS" cookie then wouldn't get sent to http connections, and we loose that functionality. If we can match all cookies except forceHTTPS, that would be better.

In practice, we're redirecting to https for everything and setting hsts, so there's no theoretical need for the forceHTTPS cookie on WMF sites anymore, unless something else goes wrong in Varnish... which has happened.

Bawolff subscribed.Nov 30 2015, 10:08 PM
Reedy added a comment.Nov 30 2015, 10:12 PM

I guess (?!forceHTTPS) in some way or another

Dzahn moved this task from Backlog to Cookies on the HTTPS board.Dec 3 2015, 7:11 PM
Aklapper added a project: Traffic.Feb 23 2016, 6:12 PM
Restricted Application added a project: SRE. · View Herald TranscriptFeb 23 2016, 6:12 PM
BBlack closed subtask T119576: Mark cookies from varnish as secure as Resolved.Apr 7 2016, 7:05 PM
Reedy added a subtask: T132993: mediawiki.cookie JavaScript should set 'secure' attribute for HTTPS-only wikis.Apr 19 2016, 12:12 AM
Reedy reopened subtask T119576: Mark cookies from varnish as secure as Open.Apr 19 2016, 12:24 AM
BBlack closed subtask T119576: Mark cookies from varnish as secure as Resolved.Apr 19 2016, 3:56 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 19 2016, 3:56 PM
fgiunchedi triaged this task as Medium priority.Apr 27 2016, 2:58 PM
Nemo_bis subscribed.Aug 18 2016, 5:38 AM
BBlack moved this task from Backlog to TLS on the Traffic board.Sep 30 2016, 1:47 PM
BBlack removed projects: Traffic, SRE.Oct 3 2016, 2:22 PM
BBlack subscribed.

Removing Traffic/Ops here, as the Traffic-layer cookies are all marked secure now.

Restricted Application added a project: Traffic. · View Herald TranscriptOct 3 2016, 2:22 PM
BBlack removed projects: Traffic, HTTPS.Oct 3 2016, 2:23 PM

Heh... herald rules...

Reedy added a comment.Oct 3 2016, 2:24 PM

Sweet :)

I guess we need to look and see what else needs dealing with at this point

Krinkle renamed this task from securecookies to Consider setting "Secure" on cookies that EFF HTTPS-Everywhere sets this on for us.Sep 25 2021, 9:43 PM
Krinkle renamed this task from Consider setting "Secure" on cookies that EFF HTTPS-Everywhere sets this on for us to Consider setting "Secure" on cookies that EFF HTTPS-Everywhere sets this on for us (tracking).
Seb35 subscribed.Sep 25 2023, 8:07 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL