Page MenuHomePhabricator

Add preference to skip Special:GoToInterwiki confirmation
Closed, DeclinedPublic

Description

Lately, when using an external interwiki prefix, instead of getting forwarded immediately, I am being asked to confirm if I indeed want to leave the wiki farm. As a regular user of such prefixes, this behaviour becomes pretty annoying over time. Though I understand this probably has been implemented for security reasons, it would be very nice to have a user preference where one can disable this request for confirmation.

Example: "luxo:Foo bar" on meta.wikimedia.org leads to Special:GoToInterwiki/luxo:Foo_bar instead of directly to https://tools.wmflabs.org/guc/?user=Foo_bar.

Event Timeline

Vogone created this task.Aug 23 2018, 1:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 23 2018, 1:31 PM

See T109140 and T122209. I don't see a good reason to decrease security for the sake of convenience.

Vogone added a subscriber: Bawolff.Aug 23 2018, 3:10 PM

Are you sure there is a real security concern for users who explicitly disable the splash page only for themselves? For example, normal external links don't need to a splash page either. The main reason for this being introduced seem to be "phishing" concerns which mostly affect users who are not familiar with the interwiki system, I would assume.

Are you sure there is a real security concern for users who explicitly disable the splash page only for themselves? For example, normal external links don't need to a splash page either. The main reason for this being introduced seem to be "phishing" concerns which mostly affect users who are not familiar with the interwiki system, I would assume.

Yes its anti-phising. e.g. Someone giving a link to https://en.wikipedia.org/wiki/somewhereevil:Foo making it look like a wikipedia link in an email ( https://cwe.mitre.org/data/definitions/601.html )

This is not a high severity issue by any means - if it was really annoying I'd be open to having a preference (Although in principle I dislike preferences for security features. Its often users who don't think it can happen to them who are the one's who end up being tricked. I also think this is a very specialized usecase to make a preference for). Maybe we could use a user-script for this?

So I understand correctly, what is the workflow you do that causes you to encounter the issue regularly?

Are you sure there is a real security concern for users who explicitly disable the splash page only for themselves? For example, normal external links don't need to a splash page either. The main reason for this being introduced seem to be "phishing" concerns which mostly affect users who are not familiar with the interwiki system, I would assume.

Yes its anti-phising. e.g. Someone giving a link to https://en.wikipedia.org/wiki/somewhereevil:Foo making it look like a wikipedia link in an email ( https://cwe.mitre.org/data/definitions/601.html )
This is not a high severity issue by any means - if it was really annoying I'd be open to having a preference (Although in principle I dislike preferences for security features. Its often users who don't think it can happen to them who are the one's who end up being tricked. I also think this is a very specialized usecase to make a preference for). Maybe we could use a user-script for this?

Personally, I don't mind either way, but I was under the impression that a preference being part of core would be easier to maintain and easier to use by others.

So I understand correctly, what is the workflow you do that causes you to encounter the issue regularly?

The most common example are tools which are common in global countervandalism work. For example, I often check a user's global contributions by typing "luxo:<username>" in the search bar. Also, "betawiki:" for translatewiki.net is an interwiki prefix I use regularly when navigating.

Yes its anti-phising. e.g. Someone giving a link to https://en.wikipedia.org/wiki/somewhereevil:Foo making it look like a wikipedia link in an email ( https://cwe.mitre.org/data/definitions/601.html )

On a sidenote, that doesn't seem to work (anymore?). https://en.wikipedia.org/wiki/google:foo leads to

Bad title
From Wikipedia, the free encyclopedia
Jump to navigation
Jump to search

The requested page title is invalid. It may be empty, contain unsupported characters, or include a non-local or incorrectly linked interwiki prefix. You may be able to locate the desired page by searching for its name (with the interwiki prefix, if any) in the search box.

Possible causes are:

* an attempt to load a URL such as https://en.wikipedia.org/wiki/| (the | character is unsupported);
* an attempt to load a URL pointing to a "non-local" interwiki page (usually those not run by the Wikimedia Foundation). For example, the URL https://en.wikipedia.org/wiki/meatball:WikiPedia will give this error, because the "meatball:" interwiki prefix is not marked as local in the interwiki table. Certain interwiki prefixes are marked as local in the table. For example, the URL https://en.wikipedia.org/wiki/meta:Main_page can be used to load meta:Main_page. All interlanguage prefixes are marked as local, and thus URLs such as https://en.wikipedia.org/wiki/fr:Accueil will work as expected. However, non-local interwiki pages can still be accessed by interwiki linking or by entering them in the search box. For example [[meatball:WikiPedia]] can be used on a page, like this: meatball:WikiPedia.

Return to Main Page.

The second "possible cause" seems to prevent exactly these cases. So perhaps the splash page is no longer needed?

Legoktm closed this task as Declined.Jul 18 2019, 8:17 AM
Legoktm added a subscriber: Legoktm.

Per bawolff, this isn't really suitable for a user preference, sorry. Plus with UrlShortener, it would defeat the point of the whitelist since people could just shorten https://en.wikipedia.org/wiki/google:foo

Per bawolff, this isn't really suitable for a user preference, sorry. Plus with UrlShortener, it would defeat the point of the whitelist since people could just shorten https://en.wikipedia.org/wiki/google:foo

Please read the comment right above yours.
Links like
https://en.wikipedia.org/wiki/google:foo
https://en.wikipedia.org/wiki/luxo:foo
and whatnot are not possible, anyway, so this cannot be a concern.

See the first sentence ("this isn't really suitable for a user preference") and T202625#4527067 for concerns still applicable.

Bawolff added a comment.EditedJul 18 2019, 5:28 PM

Per bawolff, this isn't really suitable for a user preference, sorry. Plus with UrlShortener, it would defeat the point of the whitelist since people could just shorten https://en.wikipedia.org/wiki/google:foo

Please read the comment right above yours.
Links like
https://en.wikipedia.org/wiki/google:foo
https://en.wikipedia.org/wiki/luxo:foo
and whatnot are not possible, anyway, so this cannot be a concern.

https://en.wikipedia.org/wiki/special:search/google:foo and also returnto url params