Page MenuHomePhabricator

wikiworkshop.org has Facebook button, external statcounter, https to http redirect
Open, HighPublic

Description

https://wikiworkshop.org is hosted in WMF production but has a Facebook button, an external statcounter and redirects from https to http in some cases.

Event Timeline

Dzahn renamed this task from wikiworkshop.org has Facebook button, external statcounter etc to wikiworkshop.org has Facebook button, external statcounter, https to http redirect.May 4 2020, 8:42 AM
Dzahn added projects: SRE, Traffic.
Dzahn added a project: Privacy Engineering.
Dzahn added a subscriber: Reedy.

Change 593752 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[research/wikiworkshop@master] remove Facebook button

https://gerrit.wikimedia.org/r/593752

Change 593753 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[research/wikiworkshop@master] remove statcounter

https://gerrit.wikimedia.org/r/593753

Change 593751 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[research/wikiworkshop@master] replace a http:// with a https:// link to the 2015 workshop

https://gerrit.wikimedia.org/r/593751

JFishback_WMF moved this task from Incoming to In Progress on the Privacy Engineering board.

Change 593751 merged by Bmansurov:
[research/wikiworkshop@master] replace a http:// with a https:// link to the 2015 workshop

https://gerrit.wikimedia.org/r/593751

@leila head's up that one of the patches is removing the Facebook button. Another is removing statcounter. We probably want to use https://wikitech.wikimedia.org/wiki/Tool:Event_Metrics instead. What do you think?

@bmansurov thanks for the heads up. those removals are fine. (and btw, I expect James Fishback to provide more update requests in the coming weeks per an internal thread to clean up such aspects of the site).

Re Event Metrics: sounds good to me if it's relatively straightforward for you to set up.

Thanks @leila ! I would be happy to merge my patches but i don't have +2 on that repo. There is no deployment needed since puppet will git pull automatically.

Change 593752 merged by Bmansurov:
[research/wikiworkshop@master] remove Facebook button

https://gerrit.wikimedia.org/r/593752

Change 593753 merged by Bmansurov:
[research/wikiworkshop@master] remove statcounter

https://gerrit.wikimedia.org/r/593753

Change 596194 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[research/wikiworkshop@master] remove more Facebook buttons in previous years

https://gerrit.wikimedia.org/r/596194

Change 596196 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[research/wikiworkshop@master] remove tweet buttons

https://gerrit.wikimedia.org/r/596196

Change 596198 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[research/wikiworkshop@master] remove more stat counters

https://gerrit.wikimedia.org/r/596198

Change 596194 merged by Bmansurov:
[research/wikiworkshop@master] remove more Facebook buttons in previous years

https://gerrit.wikimedia.org/r/596194

Change 596196 merged by Bmansurov:
[research/wikiworkshop@master] remove Twitter script/buttons

https://gerrit.wikimedia.org/r/596196

Change 596198 merged by Bmansurov:
[research/wikiworkshop@master] remove more stat counters

https://gerrit.wikimedia.org/r/596198

Is there a specific thing we are waiting for?

The last things I see are:

  1. Remove as much of the YUI and Bootstrap CSS and JS as possible. We don't want to leave vulnerable libraries out there needlessly.
  2. Update what remains of those libraries to newest stable versions.
  3. There are several assets being hosted at stanford.edu that should either be removed if not needed, or moved into the repo so we host them

I pinged @leila about whether she wanted me to do that or she had someone else, but I haven't heard back (I think because of no-email Friday).

@bmansurov please check JFishback_WMF's comment above and make the changes requested.

Change 598266 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] Copy external assets to the repo

https://gerrit.wikimedia.org/r/598266

Change 598266 merged by Bmansurov:
[research/wikiworkshop@master] Copy external assets to the repo

https://gerrit.wikimedia.org/r/598266

Change 598267 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] 2015: remove YUI js and (most of) CSS

https://gerrit.wikimedia.org/r/598267

Change 598267 merged by Bmansurov:
[research/wikiworkshop@master] 2015: remove YUI js and (most of) CSS

https://gerrit.wikimedia.org/r/598267

Change 598268 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] WIP: Upgrade bootstrap

https://gerrit.wikimedia.org/r/598268

Just a little status update: I've removed YUI and working on upgrading bootstrap. Since a lot changed between versions 2 and 4, it'll take some time to fully upgrade years 2016 through 2020. I'll let you know when I'm done.

Change 598268 merged by Bmansurov:
[research/wikiworkshop@master] 2016: Upgrade bootstrap

https://gerrit.wikimedia.org/r/598268

Change 598895 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] 2017: Upgrade bootstrap

https://gerrit.wikimedia.org/r/598895

Change 598895 merged by Bmansurov:
[research/wikiworkshop@master] 2017: Upgrade bootstrap

https://gerrit.wikimedia.org/r/598895

Change 598896 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] 2018: upgrade bootstrap

https://gerrit.wikimedia.org/r/598896

Change 598896 merged by Bmansurov:
[research/wikiworkshop@master] 2018: upgrade bootstrap

https://gerrit.wikimedia.org/r/598896

Change 598900 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] 2019: Upgrade bootstrap

https://gerrit.wikimedia.org/r/598900

Change 598900 merged by Bmansurov:
[research/wikiworkshop@master] 2019: Upgrade bootstrap

https://gerrit.wikimedia.org/r/598900

Change 599143 had a related patch set uploaded (by Bmansurov; owner: Bmansurov):
[research/wikiworkshop@master] 2020: upgrade bootstrap

https://gerrit.wikimedia.org/r/599143

Change 599143 merged by Bmansurov:
[research/wikiworkshop@master] 2020: upgrade bootstrap

https://gerrit.wikimedia.org/r/599143

Looks good to me WRT Privacy. I think @Reedy also wanted to take a look at this for the appsec side.

Minor issue (so to some extent, still a HTTPS to HTTP redirect), I going to https://wikiworkshop.org/2019 (and other older sites, rather than one with a trailing /) results in a 301 against a HTTP resource before being kicked back to HTTPS

Screenshot 2020-06-18 at 16.18.55.png (734×1 px, 357 KB)

404s from favicon.ico but that obviously doesn't matter

Other than that, LGTM

curl -I -L https://wikiworkshop.org/2019
HTTP/2 301 
date: Thu, 18 Jun 2020 15:17:14 GMT
server: Apache
location: http://wikiworkshop.org/2019/
content-length: 303
content-type: text/html; charset=iso-8859-1
vary: X-Forwarded-Proto
age: 332
x-cache: cp3064 miss, cp3062 hit/2
x-cache-status: hit-front
server-timing: cache;desc="hit-front"

HTTP/1.1 301 TLS Redirect
Date: Thu, 18 Jun 2020 15:22:46 GMT
Server: Varnish
X-Varnish: 816772390
X-Cache: cp3050 int
X-Cache-Status: int-front
Server-Timing: cache;desc="int-front"
Location: https://wikiworkshop.org/2019/
Content-Length: 0
Connection: keep-alive

HTTP/2 200 
date: Thu, 18 Jun 2020 15:17:14 GMT
server: Apache
last-modified: Thu, 28 May 2020 00:11:13 GMT
vary: Accept-Encoding
cache-control: max-age=3600, must-revalidate
content-type: text/html
etag: W/"9740-5a6aa2a9d38b2"
age: 331
x-cache: cp3058 miss, cp3062 hit/2
x-cache-status: hit-front
server-timing: cache;desc="hit-front"
accept-ranges: bytes

https://github.com/wikimedia/puppet/blob/58ac95353aca3f0925017407ddebc2d397cd9f2f/modules/profile/files/httpbb/test_miscweb.yaml#L89

assert_headers:
  Location: http://wikiworkshop.org/2020/

That's obviously wrong, even if the test is just confirming what happens now..

that's interesting.. why we don't have HSTS headers for wikiworkshop.org?

@Vgutierrez This site was setup by Brandon. Could you maybe ask him about that last question?

@Vgutierrez This site was setup by Brandon. Could you maybe ask him about that last question?

I think this was just an oversight! Patch incoming for that part.

On the other redirects - the ones that read as 301 TLS Redirect that go in the http->https direction are from our generic Varnish coverage, while the downgrade ones are coming from something down in the applayer side.

Change 723590 had a related patch set uploaded (by BBlack; author: BBlack):

[operations/puppet@production] Add wikiworkshop.org to HSTS regex

https://gerrit.wikimedia.org/r/723590

Change 723590 merged by BBlack:

[operations/puppet@production] Add wikiworkshop.org to HSTS regex

https://gerrit.wikimedia.org/r/723590

Change 747658 had a related patch set uploaded (by Dzahn; author: Dzahn):

[operations/puppet@production] httpbb: miscweb: fix tests for wikiworkshop.org, update 2021 to 2022

https://gerrit.wikimedia.org/r/747658

Change 747658 merged by Dzahn:

[operations/puppet@production] httpbb: miscweb: fix tests for wikiworkshop.org, update 2021 to 2022

https://gerrit.wikimedia.org/r/747658