Page MenuHomePhabricator

Allow TemplateStyles (via css-sanitizer) to use protocol-relative URLs
Closed, ResolvedPublic

Description

From a discussion with @Nirmos regarding TemplateStyles adoption on Swedish Wikipedia

Summary

TemplateStyles (or perhaps more correctly css-sanitizer) does not allow protocol-relative URLs for background images and the like. It should.

Description

When trying to use protocol relative URLS in TemplateStyles the user sees a message such as, "Invalid or unsupported value for property background at line x character y."

From @Nirmos, "Protocol-relative URLs are really common in the MediaWiki namespace, and there is a reason for that. In 2012, a global bot (ran by Hoo man) made all URLs in the MediaWiki namespace protocol-relative in preparation for the switch to HTTPS (which was made on June 12, 2015). https://sv.wikipedia.org/w/index.php?diff=15652298 is an example of such an edit.

In summary, protocol-relative URLs are really common across the MediaWiki namespace on WMF wikis, and will definitely pose a problem when trying to migrate styles to TemplateStyles, and the error message is not of any help."

Event Timeline

Thanks for creating this task. However, I'm not sure allowing protocol-relative URLs is going in the right direction. https://www.paulirish.com/2010/the-protocol-relative-url/ describes protocol-relative URLs as an anti-pattern, and https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL says that they should no longer be used on Wikipedia. Other solutions include:

  1. Try to make the error message better. The conversation in T185623 suggests this may be difficult. If it proves too hard to do this, a "preemptive" warning could be added to the page when creating or editing TemplateStyles, like "Note: If you are using url(), make sure that the URL starts with https:// and not //". Now, I do realize that MediaWiki ≠ Wikimedia, so that preemptive warning should probably be limited to Wikimedia
  2. A global sysop/interface editor/steward could be asked to replace the protocol-relative URLs with https
  3. If all else fails, we can at the very least make sure that this quirk is properly documented at https://www.mediawiki.org/wiki/Help:TemplateStyles. However, I'm not sure this will prove very effective. The vast majority of WMF users will not read that page, and to third-party wikis it might come across as irrelevant or obvious information as the more technical page https://www.mediawiki.org/wiki/Extension:TemplateStyles already describes how to use configuration variables like $wgTemplateStylesAllowedUrls
Tgr added a subscriber: Tgr.

As Nirmos says, TemplateStyles allows arbitrary URL rules, the Wikimedia instance is just configured to expect HTTPS ones. Wikimedia sites are HTTPS-only so protocol-relative URLs don't really make sense (but there is probably no harm in them either) but they could certainly be enabled for better handling of legacy code.

As Nirmos says, TemplateStyles allows arbitrary URL rules, the Wikimedia instance is just configured to expect HTTPS ones. Wikimedia sites are HTTPS-only so protocol-relative URLs don't really make sense (but there is probably no harm in them either) but they could certainly be enabled for better handling of legacy code.

Not quite.

  • css-sanitizer allows arbitrary URLs in url(). And makes it possible to add restriction.
  • TemplateStyles takes advantage of that to only allows URLs in a whitelist.
  • The default configuration, which is used on Wikimedia wikis, whitelists the HTTPS URLs used to access Commons images.

IMO it would be better for people to just specify the protocol. But if people really want to be able to use protocol-relative URLs anyway, it would be easy enough for someone to make a configuration change. This would probably do it.

$wgTemplateStylesAllowedUrls = [
    'audio' => [
        '<^(?:https:)?//upload\\.wikimedia\\.org/wikipedia/commons/>',
    ],
    'image' => [
        '<^(?:https:)?//upload\\.wikimedia\\.org/wikipedia/commons/>',
    ],
    'svg' => [
        '<^(?:https:)?//upload\\.wikimedia\\.org/wikipedia/commons/[^?#]*\\.svg(?:[?#]|$)>',
    ],
    'font' => [],
    'namespace' => [ '<.>' ],
    'css' => [],
];

Or make them (?:https?:)? if you also want to allow HTTP for some reason.

@Tgr, @Anomie: I have a proposal. I can nominate myself to become an interface editor. If the nomination goes well, I'll change the protocol-relative URLs to https in all CSS pages in the MediaWiki namespace across all WMF wikis. If the nomination fails, the ball is back to you guys, which may or may not mean "relenting" to allowing protocol-relative URLs. Does that sound like a good plan to you? If you find that agreeable, I can nominate myself now. I mean, even if the nomination fails, no one can accuse us for not trying to do the right thing, which is a win.

Thanks, that would be cool.

The nomination failed, so this is now out of my hands.

Let's bite the bullet on this. Allowing relative URLs on Wikimedia wikis has no negative impact since the wikis themselves are only reachable via HTTPS so the URLs will resolve to that anyway. The extension default should not be changed though as it can be used on non-HTTPS-only wikis (although I guess if your whole page is served over HTTP then protocol-relative image links are not going to be your biggest problem).

Or make them (?:https?:)? if you also want to allow HTTP for some reason.

Let's not, that would cause a MITM vulnerability and probably mixed content warnings in some edge cases (when that is the first request the browser makes to upload.wikimedia.org so it hasn't seen any HSTS header yet).

Change 420115 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/420115

Change 420115 merged by jenkins-bot:
[operations/mediawiki-config@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/420115

Tgr claimed this task.

Change 486827 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/extensions/TemplateStyles@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/486827

Change 486828 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[mediawiki/extensions/TemplateStyles@master] Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/486828

Change 486827 abandoned by Krinkle:
Allow protocol-relative URLs in TemplateStyles

Reason:
Dupe of If08fceae29842af8

https://gerrit.wikimedia.org/r/486827

Change 486828 abandoned by Krinkle:
Allow protocol-relative URLs in TemplateStyles

https://gerrit.wikimedia.org/r/486828