We want to try out T185075: A template to show discourse-mediawiki.wmflabs.org feeds in MediaWiki.org, and for that we would need https://discourse-mediawiki.wmflabs.org whitelisted for Extension:RSS.
$wgRSSUrlWhitelist
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Declined | None | T185075 A template to show discourse-mediawiki.wmflabs.org feeds | |||
| Declined | None | T185087 Whitelist discourse-mediawiki.wmflabs.org for Extension:RSS in MediaWiki.org |
Event Timeline
Comment Actions
Change 404653 had a related patch set uploaded (by Aklapper; owner: Aklapper):
[operations/mediawiki-config@master] Allow discourse-mediawiki.wmflabs.org RSS feed on mediawiki.org
Comment Actions
I was under the (wrong?) impression that $wgRSSUrlWhitelist could accept a domain or a wildcard like discourse-mediawiki.wmflabs.org/*. As explained above, the idea is that people could use this template to point to different feeds, and Discourse has as many as tags and users, and more.
Comment Actions
Stalled until the plan for T185075: A template to show discourse-mediawiki.wmflabs.org feeds ref feeds and performance is resolved.
Comment Actions
Yeah, that's wrong. It can take * but other than that needs an exact match.
So probably we should add a regex/prefix whitelist or domain whitelist before attempting this.
Comment Actions
Change 406017 had a related patch set uploaded (by Samwilson; owner: Samwilson):
[mediawiki/extensions/RSS@master] Add prefix support to URL whitelist
Comment Actions
I've made a patch to permit the trailing *. https://gerrit.wikimedia.org/r/406017 Or do we want to do a regex?
Comment Actions
Not a regex, having to escape dots in the domain name violates security-by-default best practices (my bad for suggesting that). Could be a separate array containing domains or URL prefixes, to prevent problems with real URLs ending with *, but the probability of that seems negligible.
Comment Actions
Change 434901 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Add WMDS support question feed to mediawikiwiki RSS whitelist
Comment Actions
Change 404653 abandoned by Aklapper:
Allow discourse-mediawiki.wmflabs.org RSS feed on mediawiki.org
Reason:
Superseded by https://gerrit.wikimedia.org/r/#/c/434901/
Comment Actions
Change 434901 merged by jenkins-bot:
[operations/mediawiki-config@master] Add WMDS support question feed to mediawikiwiki RSS whitelist
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2018-05-30T13:22:15Z] <zfilipin@tin> Synchronized wmf-config/InitialiseSettings.php: SWAT: [[gerrit:434901|Add WMDS support question feed to mediawikiwiki RSS whitelist (T185087)]] (duration: 01m 01s)
Comment Actions
The current state of this is that we need to decide on what form the whitelist should take. The patch above is for trailing asterisks, but I think that's sounding too limiting. The other idea is for an map of domain names to path regexes, e.g.:
$wgRSSUrlWhitelist = [ 'discourse-mediawiki.wmflabs.org' => '/.*\.rss/i', 'example.org' => '|/feed(/atom)?|i', ];
How would that work if a site wanted to whitelist all domains? And is this too confusing for backwards compatibility (we'd have to check for a string key, I guess, and assume it's a domain; if there's no string key then we'd assume that the value is not a regex and treat is as a whole whitelisted URL)? Maybe it's easier to have a separate config variable?
Comment Actions
Yeah, it's definitely clearer and safer to not mix values with different semantics in the same variable.
Note that the current feed display is rather poor, fixing that will probably be the trickier part.
Comment Actions
Okay, how about we just add a new config var called $wgRSSUrlWhitelistRegexes that is a simple list of regexes (and doesn't have the domain-name key)?
Then the two whitelist variables can be used together, or just one or the other. This would also permit whitelisting unknown subdomains e.g. .*\.example\.org/.*\.rss.
Comment Actions
Per discussion with @Samwilson, this is probably not worth the effort; writing a custom extension for exposing Discourse feeds in MediaWiki will have better results. Filed as T215053: Write an extension for displaying Discourse feeds on mediawiki.org.
Comment Actions
Change 406017 abandoned by Samwilson:
Add prefix support to URL whitelist
Reason:
This needs some more thought, and is not required at the moment.