Turn logout link into a POST API call with refresh
It's better to get rid of any GET request with csrf token
Gerrit patch set: https://gerrit.wikimedia.org/r/506386
See related: T25227
Turn logout link into a POST API call with refresh
It's better to get rid of any GET request with csrf token
Gerrit patch set: https://gerrit.wikimedia.org/r/506386
See related: T25227
Project | Branch | Lines +/- | Subject | |
---|---|---|---|---|
mediawiki/core | master | +14 -1 | [WIP] Use a form with POST for the logout button | |
mediawiki/core | master | +60 -46 | Deprecate logout token on GET |
Change 511081 had a related patch set uploaded (by Fomafix; owner: Fomafix):
[mediawiki/core@master] [WIP] Use POST for logout
Change 511310 had a related patch set uploaded (by Ladsgroup; owner: Ladsgroup):
[mediawiki/core@master] Deprecate logout token on GET
Change 511310 merged by jenkins-bot:
[mediawiki/core@master] Deprecate logout token on GET
@Ladsgroup If I visit Special:UserLogout directly, I only see text "Do you want to log out?" and no button or link to do anything.
It works in beta as expected:
Where are you testing this?
Translatewiki.net. Looks like it caught some revision in between where there isn't a button, but the link text was already removed.
Seems like the same thing doesn't work in the mobile interface - T232734: Mobile logout should not involve an interstitial
This causes problems for SAML auth. See https://phabricator.wikimedia.org/T246350 and https://www.mediawiki.org/w/index.php?title=Topic:W5nyw48nx1pc2lsy
If the issue is SAML specific, the extension should just provide an endpoint to call for logout.
I don't think we'd want to revert this change, as we'd lose at least a modest bit of security protection.
Also, I doubt it would help, T25227: Use token when logging out would probably break SAML logouts with or without POST. And we do want to have some kind of CSRF protection for logouts. Especially while we publish IP addresses for anonymous actions, third-party-initiated stealth logout can be abused to dox users.