I am not sure why this was not among the white listed domains.
Description
Related Objects
- Mentioned In
- T270792: Add Wikispecies and Wikimediafoundation to UrlShortener
T254427: Specific blog post not accessible from wikimediafoundation.org, redirects to third-party medium.com
T249416: Allow URL shortening for qrpedia.org domain - Mentioned Here
- T231518: Add *.wmflabs.org to w.wiki shortener
T220923: URL Shortener should not obfuscate important links
T201022: Third party resources loaded by wikimediafoundation.org
Event Timeline
I am not sure why this was not among the white listed domains.
Probably because it's not a wiki
It's actually a little bit more complex. wikimediafoundation.org is not in WMF infrastructure and doesn't go through our varnish/LVS/other bits (don't get me started). It also used to load outside modules T201022: Third party resources loaded by wikimediafoundation.org so it's a little bit scary to allow this as the website might have reflective XSS vulnerabilities and abuses can got hidden through URL shortener. I leave the decision to CPT and Secuirty though.
If someone is reasonably confident/has audited wikimediafoundation.org to make sure there are no open redirects it should be fine to add.
@Ladsgroup: Which outside modules are you referring to? As noted in the ticket you linked to, the ones previously identified have been disabled since August 2018.
I defer to Security and CPT on adding URL shortener to this domain, but want to make sure we are discussing it accurately. Are there additional external modules you are concerned about which are not discussed in T201022: Third party resources loaded by wikimediafoundation.org?
Hey, I used past tense ("used to load"). Still reflective XSS can be a problem in javascript of the website but there are tools to scan for such vulnerabilities. (Security team knows better, does this website passed security review?)
Not that I'm aware of. Specifically, someone needs to verify there are no open redirects. Also no dangerous URLs that perform actions upon GET requests (e.g. T220923).
Marking as stalled pending confirmation from someone(?) that someone has reviewed wikimediafoundation.org for:
- reflective XSS
- open redirects
- dangerous URLs that perform actions upon GET requests
Correct! @Varnent - You'd want to start out with the new Security-Team services request form. There is some basic, pre-populated information in the description field where you can describe what @Legoktm discusses in T222089#5383470. This will get the request into our queue so we can evaluate options with you and schedule any resultant work. Thanks.