Page MenuHomePhabricator
Create Task
Maniphest T122720

Add labs to $wgCrossSiteAJAXdomains
Closed, DeclinedPublic
Actions

Description

I'm here to request CORS to be enabled for sites hosted at Labs (*.wmflabs.org) and Tool Labs (tools.wmflabs.org). Personally, it'll be great for those tools hosted here that require MediaWiki API call can be served via JSON (and not JSONP, cause JSON requests can be cached). Aren't tools hosted at Labs & Tool Labs more or less trusted?

By the way, I'm aware of T22814 and T62835.

Related Objects

Event Timeline

Kenrick95 created this task.Jan 1 2016, 2:07 PM
Kenrick95 raised the priority of this task from to Needs Triage.
Kenrick95 updated the task description. (Show Details)
Kenrick95 added a project: Wikimedia-Site-requests.
Kenrick95 subscribed.
Restricted Application added subscribers: JEumerus, StudiesWorld, Matanya, Aklapper. · View Herald TranscriptJan 1 2016, 2:07 PM
Kenrick95 mentioned this in T122721: Add localhost to $wgCrossSiteAJAXdomains.Jan 1 2016, 2:13 PM
Krenair added a project: acl*security.Jan 2 2016, 9:15 PM
Krenair subscribed.

Labs (*.wmflabs.org) and Tool Labs (tools.wmflabs.org)

Tools is part of labs, and matches the first domain.

I think this is one of the security-sensitive settings (but don't remember the exact implications off the top of my head), and it has DO NOT add domains here that aren't WMF wikis unless you really know what you're doing as a comment.

Aren't tools hosted at Labs & Tool Labs more or less trusted?

Nope, those are not trusted.

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 2 2016, 9:15 PM
Krenair renamed this task from Enable $wgCrossSiteAJAXdomains for sites hosted at WMF Labs and Tool Labs to Add labs to $wgCrossSiteAJAXdomains.Jan 2 2016, 9:15 PM
Krenair set Security to None.
csteipp subscribed.Jan 4 2016, 4:22 PM

Whitelisting wmflabs.org would have the affect that then anyone can steal anyone's csrf tokens, just by registering for a labs account and starting up an instance with a webserver that drops some javascript in an iframe on the wfmlabs.org domain. Labs projects are very much not trusted.

So I would strongly oppose that, and recommend we close this as declined.

If we have a specific tool that is commonly used, and need to be more deeply integrated into the project sites, then we should consider converting that to an extension, where it will receive a security review, etc.

MaxSem closed this task as Declined.Jan 4 2016, 5:34 PM
MaxSem claimed this task.
Krinkle subscribed.EditedJan 4 2016, 5:47 PM

Alternatively, OAuth can be used as well.

Aside from accessing APIs as a logged-in user, I think there is a very valid use case here for accessing the APIs as a logged-out user. Simple things like siteinfo, namespaces, search, revision queries etc. For ajaxy tools that want some of this stuff it's really akward to have to build your own API to proxy requests to wmf domains from a tool backend, rather than directly.

This data is already exposed currently, but it requires adding a callback parameter which triggers the JSON-P format and the associated session-less API mode. However these callbacks are typically random temporary strings and make the url uncachable.

Having a way to trigger &origin=* (CORS) for arbitrary domains and get the anonymous mode would be very valuable. We currently don't do this because we implemented the anonymous/JSON-P mode way before CORS was a common feature in web browsers. Nowadays it's nearly ubiquitous.

Anomie subscribed.Jan 5 2016, 4:11 AM
In T122720#1914581, @Krinkle wrote:

Having a way to trigger &origin=* (CORS) for arbitrary domains and get the anonymous mode would be very valuable.

Probably best to continue that on T62835: Enable cross-domain API requests in API's JSON responses?

chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits