Page MenuHomePhabricator

Scheme-less URLs in mobile-html
Closed, ResolvedPublic

Description

Background information

In order to present articles while offline, the iOS app uses a custom scheme to provide permanently cached versions of files to the web view. To have that custom scheme automatically apply to all of the https URLs within the mobile-html response, they would need to be re-written as scheme-less.

What

Replace all https URLs (including js and css) with scheme-less equivalents. For example it would be //meta.wikimedia.org/api/rest_v1/data/css/mobile/base instead of https://meta.wikimedia.org/api/rest_v1/data/css/mobile/base

Open questions

URLs that aren't https won't work offline. Is this an issue?

Acceptance criteria

  • Articles returned by the mobile-html endpoint have https urls replaced with their scheme-less equivalents

Event Timeline

JoeWalsh created this task.Feb 28 2019, 5:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 28 2019, 5:13 PM
MSantos added a subscriber: MSantos.Mar 1 2019, 9:21 PM

@JoeWalsh does that apply to <source> tags like:

<source src="https://upload.wikimedia.org/wikipedia/commons/8/83/Mothercatandkitten-malawi-2018.webm" type="video/webm; codecs=&quot;vp8&quot;" data-file-width="770" data-file-height="540" data-title="Original WebM file, 770 × 540 (2.09 Mbps)" data-shorttitle="WebM source">

From: view-source:https://en.wikipedia.org/api/rest_v1/page/mobile-html/Cat#External_links

MSantos claimed this task.Mar 1 2019, 9:23 PM
MSantos triaged this task as Normal priority.
MSantos added a project: Page Content Service.
MSantos moved this task from To Do to Doing on the Product-Infrastructure-Team-Backlog (Kanban) board.
JoeWalsh added a comment.EditedMar 1 2019, 9:32 PM

@MSantos yes, it should apply to source tags as well. I'm not sure that we'll actually save videos or audio for offline in the first iteration, but it would be nice to have the option available for the future

Change 493770 had a related patch set uploaded (by MSantos; owner: MSantos):
[mediawiki/services/mobileapps@master] Make URLs scheme-less on mobile-html response

https://gerrit.wikimedia.org/r/493770

@JoeWalsh Thanks for the input!

JoeWalsh added a subscriber: bearND.Mar 5 2019, 4:48 PM

@MSantos @bearND The issue we're running into with the current implementation is that the x-content-security-policy header excludes custom schemes for script-src and style-src. Could they be updated to be less restrictive? The app works with the app:// scheme URLs added:

...script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; style-src app://meta.wikimedia.org https://meta.wikimedia.org app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline';...

But would be open to other suggestions as well if there's a better way.

@JoeWalsh app:// looks good to me.

Change 493770 merged by jenkins-bot:
[mediawiki/services/mobileapps@master] Make URLs scheme-less on mobile-html response

https://gerrit.wikimedia.org/r/493770

Deployed a few minutes ago deploy/2019-03-13/5f8e4e61.