Page MenuHomePhabricator

Add labs to $wgCrossSiteAJAXdomains
Closed, DeclinedPublic

Description

I'm here to request CORS to be enabled for sites hosted at Labs (*.wmflabs.org) and Tool Labs (tools.wmflabs.org). Personally, it'll be great for those tools hosted here that require MediaWiki API call can be served via JSON (and not JSONP, cause JSON requests can be cached). Aren't tools hosted at Labs & Tool Labs more or less trusted?

By the way, I'm aware of T22814 and T62835.

Event Timeline

Kenrick95 raised the priority of this task from to Needs Triage.
Kenrick95 updated the task description. (Show Details)
Kenrick95 added a subscriber: Kenrick95.
Krenair added a subscriber: Krenair.

Labs (*.wmflabs.org) and Tool Labs (tools.wmflabs.org)

Tools is part of labs, and matches the first domain.

I think this is one of the security-sensitive settings (but don't remember the exact implications off the top of my head), and it has DO NOT add domains here that aren't WMF wikis unless you really know what you're doing as a comment.

Aren't tools hosted at Labs & Tool Labs more or less trusted?

Nope, those are not trusted.

Krenair renamed this task from Enable $wgCrossSiteAJAXdomains for sites hosted at WMF Labs and Tool Labs to Add labs to $wgCrossSiteAJAXdomains.Jan 2 2016, 9:15 PM
Krenair set Security to None.

Whitelisting wmflabs.org would have the affect that then anyone can steal anyone's csrf tokens, just by registering for a labs account and starting up an instance with a webserver that drops some javascript in an iframe on the wfmlabs.org domain. Labs projects are very much not trusted.

So I would strongly oppose that, and recommend we close this as declined.

If we have a specific tool that is commonly used, and need to be more deeply integrated into the project sites, then we should consider converting that to an extension, where it will receive a security review, etc.

MaxSem claimed this task.

Alternatively, OAuth can be used as well.

Aside from accessing APIs as a logged-in user, I think there is a very valid use case here for accessing the APIs as a logged-out user. Simple things like siteinfo, namespaces, search, revision queries etc. For ajaxy tools that want some of this stuff it's really akward to have to build your own API to proxy requests to wmf domains from a tool backend, rather than directly.

This data is already exposed currently, but it requires adding a callback parameter which triggers the JSON-P format and the associated session-less API mode. However these callbacks are typically random temporary strings and make the url uncachable.

Having a way to trigger &origin=* (CORS) for arbitrary domains and get the anonymous mode would be very valuable. We currently don't do this because we implemented the anonymous/JSON-P mode way before CORS was a common feature in web browsers. Nowadays it's nearly ubiquitous.

Having a way to trigger &origin=* (CORS) for arbitrary domains and get the anonymous mode would be very valuable.

Probably best to continue that on T62835: Enable cross-domain API requests in API's JSON responses?