Thanks for creating this task. However, I'm not sure allowing protocol-relative URLs is going in the right direction. https://www.paulirish.com/2010/the-protocol-relative-url/ describes protocol-relative URLs as an anti-pattern, and https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL says that they should no longer be used on Wikipedia. Other solutions include:

1. Try to make the error message better. The conversation in T185623 suggests this may be difficult. If it proves too hard to do this, a "preemptive" warning could be added to the page when creating or editing TemplateStyles, like "Note: If you are using url(), make sure that the URL starts with https:// and not //". Now, I do realize that MediaWiki ≠ Wikimedia, so that preemptive warning should probably be limited to Wikimedia
2. A global sysop/interface editor/steward could be asked to replace the protocol-relative URLs with https
3. If all else fails, we can at the very least make sure that this quirk is properly documented at https://www.mediawiki.org/wiki/Help:TemplateStyles. However, I'm not sure this will prove very effective. The vast majority of WMF users will not read that page, and to third-party wikis it might come across as irrelevant or obvious information as the more technical page https://www.mediawiki.org/wiki/Extension:TemplateStyles already describes how to use configuration variables like $wgTemplateStylesAllowedUrls

As Nirmos says, TemplateStyles allows arbitrary URL rules, the Wikimedia instance is just configured to expect HTTPS ones. Wikimedia sites are HTTPS-only so protocol-relative URLs don't really make sense (but there is probably no harm in them either) but they could certainly be enabled for better handling of legacy code.

In T188760#4018916, @Tgr wrote:

As Nirmos says, TemplateStyles allows arbitrary URL rules, the Wikimedia instance is just configured to expect HTTPS ones. Wikimedia sites are HTTPS-only so protocol-relative URLs don't really make sense (but there is probably no harm in them either) but they could certainly be enabled for better handling of legacy code.

Not quite.

• css-sanitizer allows arbitrary URLs in url(). And makes it possible to add restriction.
• TemplateStyles takes advantage of that to only allows URLs in a whitelist.
• The default configuration, which is used on Wikimedia wikis, whitelists the HTTPS URLs used to access Commons images.

IMO it would be better for people to just specify the protocol. But if people really want to be able to use protocol-relative URLs anyway, it would be easy enough for someone to make a configuration change. This would probably do it.

$wgTemplateStylesAllowedUrls = [
    'audio' => [
        '<^(?:https:)?//upload\\.wikimedia\\.org/wikipedia/commons/>',
    ],
    'image' => [
        '<^(?:https:)?//upload\\.wikimedia\\.org/wikipedia/commons/>',
    ],
    'svg' => [
        '<^(?:https:)?//upload\\.wikimedia\\.org/wikipedia/commons/[^?#]*\\.svg(?:[?#]|$)>',
    ],
    'font' => [],
    'namespace' => [ '<.>' ],
    'css' => [],
];

Or make them (?:https?:)? if you also want to allow HTTP for some reason.

@Tgr, @Anomie: I have a proposal. I can nominate myself to become an interface editor. If the nomination goes well, I'll change the protocol-relative URLs to https in all CSS pages in the MediaWiki namespace across all WMF wikis. If the nomination fails, the ball is back to you guys, which may or may not mean "relenting" to allowing protocol-relative URLs. Does that sound like a good plan to you? If you find that agreeable, I can nominate myself now. I mean, even if the nomination fails, no one can accuse us for not trying to do the right thing, which is a win.

Go for it, and good luck.

Thanks, that would be cool.

Done. This is now https://meta.wikimedia.org/wiki/Steward_requests/Global_permissions#global-interface-editor_for_Nirmos

I'll report back here with the outcome when the nomination is closed.

The nomination failed, so this is now out of my hands.

That sucks @Nirmos. Thank you for trying.

Let's bite the bullet on this. Allowing relative URLs on Wikimedia wikis has no negative impact since the wikis themselves are only reachable via HTTPS so the URLs will resolve to that anyway. The extension default should not be changed though as it can be used on non-HTTPS-only wikis (although I guess if your whole page is served over HTTP then protocol-relative image links are not going to be your biggest problem).

In T188760#4018969, @Anomie wrote:

Or make them (?:https?:)? if you also want to allow HTTP for some reason.

Let's not, that would cause a MITM vulnerability and probably mixed content warnings in some edge cases (when that is the first request the browser makes to upload.wikimedia.org so it hasn't seen any HSTS header yet).

Change 420115 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/420115

Change 420115 merged by jenkins-bot:
[operations/mediawiki-config@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/420115

Change 486827 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/extensions/TemplateStyles@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/486827

Change 486828 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/extensions/TemplateStyles@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/486828

Change 486827 abandoned by Krinkle:
Allow protocol-relative URLs in TemplateStyles

Reason:
Dupe of If08fceae29842af8

https://gerrit.wikimedia.org/r/486827

Change 486828 abandoned by Krinkle:
Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/486828