Page MenuHomePhabricator

Add localhost to $wgCrossSiteAJAXdomains
Closed, DeclinedPublic

Description

Can CORS be allowed for sites hosted at localhost so tool developers using WMF's Mediawiki API can try their tools out when doing development at their local machine.

Similar: T22814, T62835, T122720.

Event Timeline

Kenrick95 created this task.Jan 1 2016, 2:13 PM
Kenrick95 raised the priority of this task from to Needs Triage.
Kenrick95 updated the task description. (Show Details)
Kenrick95 added subscribers: Aklapper, Matanya, StudiesWorld and 2 others.
Krenair added a subscriber: Krenair.
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 2 2016, 9:17 PM
Krenair renamed this task from Enable $wgCrossSiteAJAXdomains for sites hosted at localhost to Add localhost to $wgCrossSiteAJAXdomains.Jan 2 2016, 9:18 PM
Krenair set Security to None.
csteipp edited projects, added Security-Team; removed Security.Jan 12 2016, 10:30 PM

@Kenrick95, the fix for T62835 should address this issue sufficiently, without the need to explicitly add "localhost" to $wgCrossSiteAJAXdomains. Do you have other information that leads you to believe that localhost needs to be explicitly listed?

Since that task has no new comment since Nov 2015, I think it's better to allow "localhost" first before extending it to that task itself, i.e. solve smaller issue before solving a much larger issue.

Honestly, I feel a bit iffy about this. I'm not sure if there would be any security badness from doing this, but it just feels "icky"

Maybe people who need this sort of thing, could just add something like

foo.wikipedia.org 127.0.0.1

To their /etc/hosts, and then test their thing using foo.wikipedia.org as the local web server.

@Bawolff Not sure a DNS kludge is optimal. You can't change /etc/hosts on Chromebooks (ChromeOS mount this partition in read only mode) or on machines you are not root. But then, develop on a machine without root access isn't optimal, and we have recommendations for Vagrant.

@csteipp Do you see any risk (a rogue browser extension for example?) for a CORS rule including localhost?

If you arent root you cant run a webserver on port 80 or 443, so this bug wouldnt help you.

csteipp closed this task as Declined.Feb 16 2016, 11:08 PM
csteipp claimed this task.

I think T62835: Enable cross-domain API requests in API's JSON responses will address the main use cases, and adding localhost does not seem like a wise thing to do. While I sympathize with making things easier for developers, I think this opens too much attack surface for the benefit.

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:08 PM