Maniphest T200755

Security review for SecureLinkFixer extension
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Legoktm
	Jul 31 2018, 2:05 AM

Description

Project Information

Name of tool/project: SecureLinkFixer
Project home page: T200745: Automatically rewrite HTTP links to HTTPS for sites in the HSTS preload list & https://www.mediawiki.org/wiki/Extension:SecureLinkFixer
Name of team requesting review: Platform Engineering
Primary contact: @Legoktm
Target date for deployment: End of August?
Link to code repository / patchset: http://gerrit.wikimedia.org/g/mediawiki/extensions/SecureLinkFixer

Description of the tool/project

Automatically rewrites HTTP links to HTTPS if the domain is on the HSTS preload list.

Description of how the tool will be used at WMF

It'll be deployed in the default configuration (there are no settings) to all wikis. It's a MediaWiki extension.

Dependencies

The extension bundles a PHP version of Mozilla's HSTS preload list. My rough plan is to update the list on a similar cycle to Firefox releases (monthly). I don't think there's any urgency of updates, given that it already takes months for new additions to make their way through the browser release cycle, and removals are pretty rare, and suffer from other problems.

Has this project been reviewed before?

Working test environment

Should be as simple as wfLoadExtension( 'SecureLinkFixer' );

Post-deployment

Same maintenance plan.

Related Objects
Search...

Status	Assigned	Task
Resolved	Legoktm	T200745 Automatically rewrite HTTP links to HTTPS for sites in the HSTS preload list
Resolved	Legoktm	T200751 Review and deploy SecureLinkFixer extension
Resolved	Reedy	T200755 Security review for SecureLinkFixer extension