Page MenuHomePhabricator

In chapter wikis can't see notifications from other wikis on Special:Notifications due to lack of CORS whitelisting
Closed, ResolvedPublic

Description

Reproduce:

  1. make sure you have some unseen notifications from non-chapter wikis
  2. go to some chapter wiki, like https://fi.wikimedia.org/wiki/
  3. open https://fi.wikimedia.org/wiki/Special:Notifications
  4. you can't see those notices which are outside of the chapter wiki.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

@Stryn: Do chapter wikis support Wikimedia Single User Login? If not I'd call this expected behavior.

@Stryn: Do chapter wikis support Wikimedia Single User Login? If not I'd call this expected behavior.

Yes they support it, otherwise I would not have reported this.

Works for me.

Did you complete the following steps?

  1. open https://fi.wikimedia.org/wiki/Special:Notifications
  2. you can't see those notices which are outside of the chapter wiki.

Did you complete the following steps?

  1. open https://fi.wikimedia.org/wiki/Special:Notifications
  2. you can't see those notices which are outside of the chapter wiki.

Hmm, interesting.

Screenshot from 2017-11-22 10-33-25.png (1×1 px, 193 KB)

The projects and pages show up in the left column but when I click on them, nothing does. I can also reproduce this on https://nyc.wikimedia.org/wiki/Special:Notifications

Nice find :)

CommonSettings.php
if ( $wmgUseCORS ) {
	$wgCrossSiteAJAXdomains = [
		'*.wikipedia.org',
		'*.wikinews.org',
		'*.wiktionary.org',
		'*.wikibooks.org',
		'*.wikiversity.org',
		'*.wikisource.org',
		'wikisource.org',
		'*.wikiquote.org',
		'www.wikidata.org',
		'm.wikidata.org',
		'test.wikidata.org',
		'*.wikivoyage.org',
		'www.mediawiki.org',
		'm.mediawiki.org',
		'wikimediafoundation.org',
		'advisory.wikimedia.org',
		'affcom.wikimedia.org',
		'auditcom.wikimedia.org',
		'boardgovcom.wikimedia.org',
		'board.wikimedia.org',
		'chair.wikimedia.org',
		'checkuser.wikimedia.org',
		'collab.wikimedia.org',
		'commons.wikimedia.org',
		'donate.wikimedia.org',
		'exec.wikimedia.org',
		'grants.wikimedia.org',
		'incubator.wikimedia.org',
		'internal.wikimedia.org',
		'login.wikimedia.org',
		'meta.wikimedia.org',
		'movementroles.wikimedia.org',
		'office.wikimedia.org',
		'otrs-wiki.wikimedia.org',
		'outreach.wikimedia.org',
		'quality.wikimedia.org',
		'searchcom.wikimedia.org',
		'spcom.wikimedia.org',
		'species.wikimedia.org',
		'steward.wikimedia.org',
		'strategy.wikimedia.org',
		'usability.wikimedia.org',
		'wikimania????.wikimedia.org',
		'wikimaniateam.wikimedia.org',
	];
}

We just need to add the chapter wikis to this list.

Legoktm renamed this task from In chapter wikis can't see notifications from other wikis on Special:Notifications to In chapter wikis can't see notifications from other wikis on Special:Notifications due to lack of CORS whitelisting.Nov 22 2017, 6:44 PM

Perhaps dumb question, but why we can't add *.wikimedia.org to the list ? This domain is pretty secure, and only contain approved code, unlike wmflabs.org.

Perhaps dumb question, but why we can't add *.wikimedia.org to the list ? This domain is pretty secure, and only contain approved code, unlike wmflabs.org.

It's actually less secure than our other production domains, because externally hosted websites like blog.wikimedia.org (WordPress analytics) and status.wikimedia.org (Google analytics) are on it.

Where would one find the official and complete list of chapters sites?

@SBisson it seems like this is the official list https://wikimediafoundation.org/wiki/Local_chapters, hopefully it is also complete. So we'd need to add all of these domains to wmf-config/CommonSettings.php in operations/mediawiki-config. @Hagarshilo would you like to take that on?

@SBisson it seems like this is the official list https://wikimediafoundation.org/wiki/Local_chapters, hopefully it is also complete. So we'd need to add all of these domains to wmf-config/CommonSettings.php in operations/mediawiki-config. @Hagarshilo would you like to take that on?

I found another page, https://meta.wikimedia.org/wiki/Wikimedia_chapters.

The most accurate list is probably the db list itself, https://github.com/wikimedia/operations-mediawiki-config/blob/master/dblists/wikimedia.dblist. Note that it can be great to create a system that directly use this dblist, that would be better to simply copy this in a var. At least a script that can update the variable when needed.

Change 441096 had a related patch set uploaded (by Hagar Shilo; owner: Hagar Shilo):
[operations/mediawiki-config@master] CORS whitelist chapter wikis

https://gerrit.wikimedia.org/r/441096

I've whitelisted the chapters that are wikis or have a wiki inside (that I am aware of).
I've listed below the chapters that are not wikis and do not seem to contain a wiki.

wikimedia.org.ar
wikimedia.at
wikimedia.org.au
wikimedia.org.bd
wikimedia.ch
wikimedia.de
wikimedia.es
wikimedia.fr
wikimedia.org.il
wikimedia.it
wikimedia.nl
wikimedia.co.za // Site can't be reached

I've whitelisted the chapters that are wikis or have a wiki inside (that I am aware of).
I've listed below the chapters that are not wikis and do not seem to contain a wiki.

wikimedia.org.ar
wikimedia.at
wikimedia.org.au
wikimedia.org.bd
wikimedia.ch
wikimedia.de
wikimedia.es
wikimedia.fr
wikimedia.org.il
wikimedia.it
wikimedia.nl
wikimedia.co.za // Site can't be reached

I don't think we should be whitelisting wikis that aren't hosted by Wikimedia...

I don't think we should be whitelisting wikis that aren't hosted by Wikimedia...

Aye, this is why @Hagarshilo separated the lists between chapters that are wikis and ones that aren't -- but I'm not sure how to check, even with the ones that are wikis, whether we are certain all of those are hosted by us.

The ones that are on the above list were not inserted to the CORS whitelist, they're the ones left-over from the ones she saw were wikis, and were at least a little safer to assume they are probably hosted by us.

So, @Reedy is there a way to know, of the domains added to the whitelist in https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/441096/ if they are all hosted by us?

So, @Reedy is there a way to know, of the domains added to the whitelist in https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/441096/ if they are all hosted by us?

For example, I know wikimedia.org.uk isn't primarily a wiki, it's a wordpress frontend with wikimedia.org.uk/wiki being Mediawiki

Anything *.wikimedia.org that doesn't redirect to another is hosted by us

I guess, the simplest way is to look where things resolve to. If the domain resolves to the same IP as wikipedia et al do for you locally, we probably host it, or a redirect

Sams-MBP:~ reedy$ host en.wikipedia.org
en.wikipedia.org has address 91.198.174.192
en.wikipedia.org has IPv6 address 2620:0:862:ed1a::1
Sams-MBP:~ reedy$ host meta.wikimedia.org
meta.wikimedia.org has address 91.198.174.192
meta.wikimedia.org has IPv6 address 2620:0:862:ed1a::1
Sams-MBP:~ reedy$ host wikimedia.org.uk
wikimedia.org.uk has address 37.188.117.184
wikimedia.org.uk mail is handled by 10 aspmx.l.google.com.
wikimedia.org.uk mail is handled by 20 alt1.aspmx.l.google.com.
wikimedia.org.uk mail is handled by 30 alt2.aspmx.l.google.com.

Or, we have a list of chapter wikis in https://github.com/wikimedia/operations-mediawiki-config/blob/master/multiversion/MWMultiVersion.php#L184-L188 as a hack ($lang.wikimedia.org)

Or, the "wikimedia" database list https://noc.wikimedia.org/conf/highlight.php?file=dblists/wikimedia.dblist

I should note, we don't explicitly whitelist *.wikimedia.org as some things aren't wikis (see phabricator), and some stuff aren't wikis but also are hosted offsite by a third party (see https://status.wikimedia.org/)

I should note, we don't explicitly whitelist *.wikimedia.org as some things aren't wikis (see phabricator), and some stuff aren't wikis but also are hosted offsite by a third party (see https://status.wikimedia.org/)

Yep, we're just trying to understand how to know which one of those *should* be whitelisted so they can have notifications going, among other things, and I worry we may whitelist a wrong domain.

Separating the domains that clearly had non-wiki on them so we don't whitelist those was step #1 -- now we need to verify that the domains we put up in that commit as whitelisted are really actually safe to whitelist.

BTW, I am not sure if we can trust this list? ilwikimedia is listed, but they seem to have a non-wiki site: http://wikimedia.org.il/
Is it not updated or am I misunderstanding what the dblist means?

ilwikimedia -> https://il.wikimedia.org

{$lang}wikimedia -> https://$lang.wikimedia.org

Some chapters have a WMF hosted wiki.. Some then have separate non wiki sites on different domains too

Sams-MBP:~ reedy$ host il.wikimedia.org
il.wikimedia.org has address 91.198.174.192
il.wikimedia.org has IPv6 address 2620:0:862:ed1a::1
Sams-MBP:~ reedy$ curl -I https://il.wikimedia.org
HTTP/2 200 
date: Tue, 19 Jun 2018 20:46:58 GMT
content-type: text/html; charset=UTF-8
server: mw1322.eqiad.wmnet
x-powered-by: HHVM/3.18.6-dev
vary: Accept-Encoding,Cookie
pragma: no-cache
expires: Thu, 01 Jan 1970 00:00:00 GMT
x-frame-options: DENY
link: </static/images/project-logos/default.png>;rel=preload;as=image
content-language: he
cache-control: no-cache, no-store, max-age=0, must-revalidate
x-content-type-options: nosniff
backend-timing: D=95710 t=1529441218672521
content-encoding: gzip
x-varnish: 638910593, 182105481, 621853194
via: 1.1 varnish (Varnish/5.1), 1.1 varnish (Varnish/5.1), 1.1 varnish (Varnish/5.1)
accept-ranges: bytes
age: 0
x-cache: cp1065 pass, cp3032 pass, cp3032 pass
x-cache-status: pass
strict-transport-security: max-age=106384710; includeSubDomains; preload
set-cookie: WMF-Last-Access=19-Jun-2018;Path=/;HttpOnly;secure;Expires=Sat, 21 Jul 2018 12:00:00 GMT
x-analytics: ns=-1;special=Badtitle;https=1;nocookies=1
x-client-ip: 81.187.84.202
set-cookie: GeoIP=GB:WLS:Newport:51.59:-3.00:v4; Path=/; secure; Domain=.wikimedia.org

I worry we may whitelist a wrong domain.

This stuff is controlled in operations/mediawiki-config so will go through review there.

BTW, I am not sure if we can trust this list? ilwikimedia is listed, but they seem to have a non-wiki site: http://wikimedia.org.il/
Is it not updated or am I misunderstanding what the dblist means?

ilwikimedia is listed for https://il.wikimedia.org/

ilwikimedia -> https://il.wikimedia.org

{$lang}wikimedia -> https://$lang.wikimedia.org

ilwikimedia is listed for https://il.wikimedia.org/

Ha, whoops, right, I totally didn't think about that while typing.

So, should we adjust the commit so that we are basically taking all the listings from wikimedia.dblist and inserting them to the CORS array as $lang.wikimedia.org ?

It sounds like that is the safest and best course forward?

I worry we may whitelist a wrong domain.

This stuff is controlled in operations/mediawiki-config so will go through review there.

Aye, but I want to make sure we're setting it up for success rather than going at it blindly, especially seeing as I'm not 100% sure how to do this properly, and I'm trying to guide @Hagarshilo to do it right.

ilwikimedia -> https://il.wikimedia.org

{$lang}wikimedia -> https://$lang.wikimedia.org

ilwikimedia is listed for https://il.wikimedia.org/

Ha, whoops, right, I totally didn't think about that while typing.

So, should we adjust the commit so that we are basically taking all the listings from wikimedia.dblist and inserting them to the CORS array as $lang.wikimedia.org ?

It sounds like that is the safest and best course forward?

Each one individually, yup. I think that's a good starter for 10 :). And certainly fixes the fiwikimedia reported problem, and the same for any other chapter type wiki

I don't think any are already in the list, but that's obviously easy to check!

Change 441096 merged by jenkins-bot:
[operations/mediawiki-config@master] CORS whitelist chapter wikis

https://gerrit.wikimedia.org/r/441096

Mentioned in SAL (#wikimedia-operations) [2018-07-02T23:09:06Z] <catrope@deploy1001> Synchronized wmf-config/CommonSettings.php: Add chapter wikis to CORS domain list (T181165) (duration: 00m 52s)

Etonkovidova subscribed.

Checked in wmf.10 - notifcations from fi.wiikimedia, ru.wikimedia, and nyc.wikimedia are displayed ion chapter wikis Special:Notifications page.