Page MenuHomePhabricator
Create Task
Maniphest T140858

Reconsider outputting user options directly into HTML output/page source of MediaWiki's view action
Closed, DeclinedPublic
Actions

Description

Splitting this task off of T52040#557239, we currently output the following directly into the HTML page source of MediaWiki's action=view for non-logged in users on en.wikipedia.org (with light pretty-printing):

<script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgCanonicalNamespace":"",
    "wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Main_Page",
    "wgTitle":"Main Page",
    "wgCurRevisionId":696846920,"wgRevisionId":696846920,"wgArticleId":15580374,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view",
    "wgUserName":null,"wgUserGroups":["*"],"wgCategories":[],"wgBreakFrames":false,"wgPageContentLanguage":"en",
    "wgPageContentModel":"wikitext",
    "wgSeparatorTransformTable":["",
    ""],"wgDigitTransformTable":["",
    ""],"wgDefaultDateFormat":"dmy",
    "wgMonthNames":["",
    "January",
    "February",
    "March",
    "April",
    "May",
    "June",
    "July",
    "August",
    "September",
    "October",
    "November",
    "December"],"wgMonthNamesShort":["",
    "Jan",
    "Feb",
    "Mar",
    "Apr",
    "May",
    "Jun",
    "Jul",
    "Aug",
    "Sep",
    "Oct",
    "Nov",
    "Dec"],"wgRelevantPageName":"Main_Page",
    "wgRelevantArticleId":15580374,"wgRequestId":"V48CpApAIDYAADlksn8AAABB",
    "wgIsProbablyEditable":false,"wgRestrictionEdit":["sysop"],"wgRestrictionMove":["sysop"],"wgIsMainPage":true,"wgWikiEditorEnabledModules":{"toolbar":true,"dialogs":true,"preview":false,"publish":false},"wgBetaFeaturesFeatures":[],"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgVisualEditor":{"pageLanguageCode":"en",
    "pageLanguageDir":"ltr",
    "usePageImages":true,"usePageDescriptions":true},"wgPreferredVariant":"en",
    "wgRelatedArticles":null,"wgRelatedArticlesUseCirrusSearch":true,"wgRelatedArticlesOnlyUseCirrusSearch":false,"wgULSCurrentAutonym":"English",
    "wgFlaggedRevsParams":{"tags":{"status":{"levels":1,"quality":2,"pristine":3}}},"wgStableRevisionId":null,"wgCategoryTreePageCategoryOptions":"{\"mode\":0,\"hideprefix\":20,\"showcount\":true,\"namespaces\":false}",
    "wgNoticeProject":"wikipedia",
    "wgCentralNoticeCookiesToDelete":[],"wgCentralNoticeCategoriesUsingLegacy":["Fundraising",
    "fundraising"],"wgWikibaseItemId":"Q5296",
    "wgCentralAuthMobileDomain":false,"wgVisualEditorToolbarScrollOffset":0});mw.loader.implement("user.options",function($,jQuery,require,module){mw.user.options.set({"variant":"en"});});mw.loader.implement("user.tokens",function ( $, jQuery, require, module ) {
mw.user.tokens.set({"editToken":"+\\",
    "patrolToken":"+\\",
    "watchToken":"+\\",
    "csrfToken":"+\\"});/*@nomin*/;

});mw.loader.load(["mediawiki.page.startup",
    "mediawiki.legacy.wikibits",
    "ext.centralauth.centralautologin",
    "mmv.head",
    "ext.visualEditor.desktopArticleTarget.init",
    "ext.uls.init",
    "ext.uls.interface",
    "ext.quicksurveys.init",
    "mw.MediaWikiPlayer.loader",
    "mw.PopUpMediaTransform",
    "skins.vector.js"]);});</script>

For logged-in users, it's this (with light pretty-printing and redaction of the tokens):

<script>(window.RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgCanonicalNamespace":"",
    "wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Main_Page",
    "wgTitle":"Main Page",
    "wgCurRevisionId":696846920,"wgRevisionId":696846920,"wgArticleId":15580374,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view",
    "wgUserName":"MZMcBride",
    "wgUserGroups":["extendedconfirmed",
    "*",
    "user",
    "autoconfirmed"],"wgCategories":[],"wgBreakFrames":false,"wgPageContentLanguage":"en",
    "wgPageContentModel":"wikitext",
    "wgSeparatorTransformTable":["",
    ""],"wgDigitTransformTable":["",
    ""],"wgDefaultDateFormat":"dmy",
    "wgMonthNames":["",
    "January",
    "February",
    "March",
    "April",
    "May",
    "June",
    "July",
    "August",
    "September",
    "October",
    "November",
    "December"],"wgMonthNamesShort":["",
    "Jan",
    "Feb",
    "Mar",
    "Apr",
    "May",
    "Jun",
    "Jul",
    "Aug",
    "Sep",
    "Oct",
    "Nov",
    "Dec"],"wgRelevantPageName":"Main_Page",
    "wgRelevantArticleId":15580374,"wgRequestId":"V48HKgpAAEUAAOoC60oAAAAA",
    "wgUserId":212624,"wgUserEditCount":179895,"wgUserRegistration":1117578315000,"wgUserNewMsgRevisionId":729425882,"wgIsProbablyEditable":false,"wgRestrictionEdit":["sysop"],"wgRestrictionMove":["sysop"],"wgIsMainPage":true,"wgEchoConfig":{"version":"1.11",
    "eventlogging":{"Echo":{"enabled":false,"revision":7731316,"client":false},"EchoMail":{"enabled":true,"revision":5467650,"client":false},"EchoInteraction":{"enabled":true,"revision":15180901,"client":true}}},"wgGlobalGroups":["global-ipblock-exempt"],"wgWikiEditorEnabledModules":{"toolbar":true,"dialogs":true,"preview":false,"publish":false},"wgBetaFeaturesFeatures":[],"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgVisualEditor":{"pageLanguageCode":"en",
    "pageLanguageDir":"ltr",
    "usePageImages":true,"usePageDescriptions":true},"wgPreferredVariant":"en",
    "wgRelatedArticles":null,"wgRelatedArticlesUseCirrusSearch":true,"wgRelatedArticlesOnlyUseCirrusSearch":false,"wgULSAcceptLanguageList":["en-us",
    "en"],"wgULSCurrentAutonym":"English",
    "wgFlaggedRevsParams":{"tags":{"status":{"levels":1,"quality":2,"pristine":3}}},"wgStableRevisionId":null,"wgCategoryTreePageCategoryOptions":"{\"mode\":0,\"hideprefix\":20,\"showcount\":true,\"namespaces\":false}",
    "wgNoticeProject":"wikipedia",
    "wgCentralNoticeCookiesToDelete":[],"wgCentralNoticeCategoriesUsingLegacy":["Fundraising",
    "fundraising"],"wgNoticeUserData":{"registration":"20050531222515"},"wgWikibaseItemId":"Q5296",
    "wgVisualEditorToolbarScrollOffset":0,"wgEchoInitialNotifCount":{"alert":21,"message":187},"wgEchoSeenTime":{"alert":"20160719205515",
    "message":"20160526121023"}});mw.loader.implement("user.options",function($,jQuery,require,module){mw.user.options.set({"visualeditor-hidebetawelcome":"1",
    "visualeditor-tabs":"multi-tab",
    "visualeditor-hidetabdialog":"1",
    "ccmeonemails":"1",
    "editfont":"monospace",
    "extendwatchlist":"1",
    "forceeditsummary":"1",
    "imagesize":"1",
    "nickname":"MZMcBride",
    "rclimit":"100",
    "rows":"17",
    "showhiddencats":"1",
    "skin":"monobook",
    "underline":"0",
    "usenewrc":"1",
    "watchlistdays":"30",
    "wllimit":"1000",
    "echo-subscriptions-email-edit-user-talk":1,"echo-subscriptions-web-article-linked":"1",
    "searchNs0":"",
    "gadget-ReferenceTooltips":"",
    "gadget-DRN-wizard":"",
    "gadget-charinsert":"",
    "cx":"0",
    "gadget-addsection-plus":"1",
    "gadget-edittop":"1",
    "mfWatchlistFilter":"all",
    "mfWatchlistView":"a-z",
    "pagetriage-lastuse":"20130709122306",
    "popups":"0",
    "timecorrection":"ZoneInfo|-300|America/New_York",
    "uls-compact-links":"0",
    "usecodeeditor":"0",
    "userjs-NewPagesFeedFilterOptions":
"{ \"namespace\":\"0\", \"showunreviewed\":\"1\", \"limit\":20, \"dir\":\"newestfirst\" }",
    "userjs-curationtoolbar":"maximized",
    "userjs-gettingstarted-showtour":"0",
    "visualeditor-hideusered":"1",
    "watchlisttoken":"[...]",
    "wikibase-otherprojects":"0"});});mw.loader.implement("user.tokens",function ( $, jQuery, require, module ) {
mw.user.tokens.set({"editToken":"[...]",
    "patrolToken":"[...]",
    "watchToken":"[...]",
    "csrfToken":"[...]"});/*@nomin*/;

});mw.loader.load(["mediawiki.page.startup",
    "mediawiki.legacy.wikibits",
    "ext.gadget.WatchlistBase",
    "ext.gadget.WatchlistGreenIndicatorsMono",
    "ext.centralauth.centralautologin.clearcookie",
    "mmv.head",
    "ext.visualEditor.desktopArticleTarget.init",
    "ext.uls.init",
    "ext.uls.interface",
    "ext.quicksurveys.init",
    "mw.MediaWikiPlayer.loader",
    "mw.PopUpMediaTransform"]);});</script>

We should reconsider whether outputting all of these user options and other site data directly into the HTML page source is the best approach.

Related Objects

Event Timeline

MZMcBride created this task.Jul 20 2016, 5:20 AM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 20 2016, 5:20 AM
Peachey88 updated the task description. (Show Details)Jul 20 2016, 5:35 AM
Nemo_bis subscribed.Jul 20 2016, 5:39 AM
MZMcBride added a comment.Jul 27 2016, 1:39 PM

User options are also known as user preferences.

MZMcBride mentioned this in T128602: RFC: Backend for synchronized data from Wikipedia mobile apps.Jul 27 2016, 1:50 PM
matmarex closed this task as Declined.Mar 28 2017, 4:11 PM
matmarex subscribed.

The reason for this is T36907: CSRF token-stealing attack (user.tokens) and I don't think we can change it. (User preferences include watchlisttoken, which gives anyone read access to your watchlist, and regardless most of them are considered private data.) They are already optimized to only include non-default preferences.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL