Page MenuHomePhabricator
Create Task
Maniphest T242089

Consider keeping user entered URL and removing tracking parameters
Open, MediumPublic
Actions

Description

We started using the canonical rather than the user entered URL for security reasons (T107322), but users have been regularly complaining this is destructive (removes anchors: T212608, page number in google books links and other important query parameters, and sometimes websites redirect us to a weird place like the home page if we aren't emulating a browser well enough).

An alternative is to remove tracking parameters based on a black list (i.e. https://en.wikipedia.org/wiki/UTM_parameters for some) and default to leaving them in if we don't "know" the parameter isn't needed.

Cons

  • Users adding prohibited urls like private ip addresses that we don't allow, could be left in (this can probably be ameliorated if we disallow this particular case.)
  • User tracking parameters that aren't on our blacklist would be left in.
  • The metadata might actually not be from the URL they used, for instance in T210871, the metadata is from a splash page, or in this bug here the metadata is from the home page, not the intended url. Putting the "bad" url in indicates to the user they need to fix the metadata manually, and also notes the actual source of the metadata.
  • The actual source of the metadata is discarded (the resolved / canonical url, as opposed to the user entered one)

Pros

  • Leaves important page query parameters in
  • Leaves anchors in
  • Creates a citation that needs slightly less fixing if the metadata is bad, because
  • Less confusing for users who expect that the url they enter will go in the url field as written

Related Objects

Event Timeline

Mvolz created this task.Jan 7 2020, 10:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 7 2020, 10:22 AM
Mvolz moved this task from Backlog to Service on the Citoid board.Jan 9 2020, 9:51 AM
Mvolz added a subscriber: Xaosflux.

@Xaosflux I think this was what you were trying to report on the other task.

Mvolz added a project: acl*security.Jan 9 2020, 10:02 AM
Mvolz updated the task description. (Show Details)
Mvolz updated the task description. (Show Details)Jan 9 2020, 10:49 AM
Xaosflux added a comment.Jan 9 2020, 12:54 PM

@Mvolz in T210871 the problem isn't so much about "removing parameters" but it seems to be that the process is following third party redirects and then replacing the entire path (and coincidentally in the example it is resulting in adding parameters). In replacing the entire path, editorial control of references is being lost (and in the example also results in a references that is useless for readers and editors)

sbassett moved this task from Backlog / Other to Other WMF team on the acl*security board.Jan 9 2020, 3:44 PM
Coffeeandcrumbs subscribed.Jan 10 2020, 10:14 PM
JFishback_WMF triaged this task as Medium priority.Jan 13 2020, 4:39 PM
JFishback_WMF added a project: Privacy Engineering.
JFishback_WMF moved this task from Incoming to Backlog on the Privacy Engineering board.
Mvolz merged a task: T243131: visual editor seems to automatically replace long (good) urls with short urls.Jan 24 2020, 1:27 PM
Mvolz added subscribers: seth, matmarex.
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
seth awarded a token.Jun 28 2020, 9:36 AM
Mvolz added a comment.EditedJul 23 2020, 10:05 AM

Another report here: https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(technical)&oldid=prev&diff=966377645&diffmode=source

The UX is particularly bad when the urls are blacklisted. (i.e. shortlinks)

Mvolz mentioned this in T271438: Citoid breaks URLs for www.transfermarkt.de - domain replaced by underscore in URL.Jan 14 2021, 7:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL