Page MenuHomePhabricator

Allow URL shortening for wikimediafoundation.org domain
Open, Needs TriagePublic

Description

I am not sure why this was not among the white listed domains.

Event Timeline

Ammarpad created this task.Apr 29 2019, 5:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2019, 5:11 PM
Reedy added a subscriber: Reedy.

I am not sure why this was not among the white listed domains.

Probably because it's not a wiki

Ladsgroup added a subscriber: Ladsgroup.

It's actually a little bit more complex. wikimediafoundation.org is not in WMF infrastructure and doesn't go through our varnish/LVS/other bits (don't get me started). It also used to load outside modules T201022: Third party resources loaded by wikimediafoundation.org so it's a little bit scary to allow this as the website might have reflective XSS vulnerabilities and abuses can got hidden through URL shortener. I leave the decision to CPT and Secuirty though.

If someone is reasonably confident/has audited wikimediafoundation.org to make sure there are no open redirects it should be fine to add.

Varnent added a subscriber: Varnent.EditedApr 30 2019, 5:37 AM

It's actually a little bit more complex. wikimediafoundation.org is not in WMF infrastructure and doesn't go through our varnish/LVS/other bits (don't get me started). It also used to load outside modules T201022: Third party resources loaded by wikimediafoundation.org so it's a little bit scary to allow this as the website might have reflective XSS vulnerabilities and abuses can got hidden through URL shortener. I leave the decision to CPT and Secuirty though.

@Ladsgroup: Which outside modules are you referring to? As noted in the ticket you linked to, the ones previously identified have been disabled since August 2018.

I defer to Security and CPT on adding URL shortener to this domain, but want to make sure we are discussing it accurately. Are there additional external modules you are concerned about which are not discussed in T201022: Third party resources loaded by wikimediafoundation.org?

@Ladsgroup: Which outside modules are you referring to? As noted in the ticket you linked to, the ones previously identified have been disabled since August 2018.

Hey, I used past tense ("used to load"). Still reflective XSS can be a problem in javascript of the website but there are tools to scan for such vulnerabilities. (Security team knows better, does this website passed security review?)

So if security review of this website is a blocker, has such review already done?

Could wmflabs.org also be considered in this request?

wmflabs.org should probably be a whole separate ticket.