I'm proposing we bundle the SecureLinkFixer extension with MediaWiki (hopefully starting with 1.35). SLF rewrites URLs to use HTTPS if they're on the HSTS preload list. You can think of it as the "HTTPS Everywhere for MediaWiki". The main people who benefit from this extension are wikis that don't have bots to rewrite links to HTTPS and clients that don't support HSTS. I believe this provides a small security benefit to all wikis at a minimal cost.
The extension comes with everything already included, requires no configuration or schema changes. It's also trivial to uninstall, leaving no traces it was there.
One consideration is that a copy of the HSTS preload list is shipped inside the extension. For Wikimedia deployment purposes, we update it in the master branch weekly. It would be straightforward to have the bot update it in supported MW branches on a monthly or other schedule. In any case, shipping an outdated version of the list is expected, see https://hstspreload.org/#removal.
I believe SLF meets everything on the checklist, but I'll let someone else fill it out.
- Passed security review or already Wikimedia deployed
- Voting CI structure tests
- Runs MediaWiki-CodeSniffer
- Runs phan
- Supports MySQL, SQLite, and Postgres (if there are schema changes)
- GPL v2 or later compatible license
- Extension's default configuration provides optimal experience
- Tested with web installer