Page MenuHomePhabricator
Create Task
Maniphest T264501

"toggle Desktop/Mobile view" misbehaves on HTTP sites
Closed, ResolvedPublic
Actions

Description

Due to commit 8b754f (from task T238076: Alert group Cookie(s) without Secure flag set), the stopMobileRedirect cookie wouldn't be sent to servers without HTTPS, which causes redirecting to desktop/mobile wouldn't be persistent.Will it be better having a protocol check before the cookie is set to be true?

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Make secure attribute of redirect cookie a configuration variablemediawiki/extensions/MobileFrontendmaster+18 -1
Make secure attribute of redirect cookie a configuration variablemediawiki/extensions/MobileFrontendREL1_35+18 -1
Customize query in gerrit

Related Objects

Event Timeline

StarHeartHunt created this task.Oct 3 2020, 1:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 3 2020, 1:57 PM
StarHeartHunt updated the task description. (Show Details)Oct 3 2020, 1:58 PM
StarHeartHunt renamed this task from "toggle Mobile view" misbehaves on HTTP sites to "toggle Desktop/Mobile view" misbehaves on HTTP sites.Oct 3 2020, 2:00 PM
Jdlrobson added projects: Security-Team, Reading-Web-Third-Party-Support.Oct 4 2020, 1:28 AM
StarHeartHunt updated the task description. (Show Details)Oct 4 2020, 8:38 AM
Reedy updated the task description. (Show Details)Oct 5 2020, 3:12 PM
sbassett triaged this task as Medium priority.Oct 5 2020, 3:23 PM
sbassett subscribed.

Due to commit 8b754f, the stopMobileRedirect cookie wouldn't be sent to servers without HTTPS

So this shouldn't affect any Wikimedia projects, though I suppose it could affect other installations of MediaWiki running MobileFrontend without TLS. I'm not sure we'd want to passively encourage that behavior with a protocol check. Pulling that out into a configuration variable with the default being 'secure' => true would be the better approach IMO.

sbassett claimed this task.Oct 5 2020, 3:24 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
gerritbot added a comment.Oct 5 2020, 3:48 PM

Change 632263 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@master] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632263

gerritbot added a project: Patch-For-Review.Oct 5 2020, 3:48 PM
gerritbot added a comment.Oct 6 2020, 9:42 PM

Change 632557 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_35] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632557

gerritbot added a comment.Oct 6 2020, 10:05 PM

Change 632263 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632263

gerritbot added a comment.Oct 6 2020, 10:07 PM

Change 632557 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@REL1_35] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632557

Maintenance_bot removed a project: Patch-For-Review.Oct 6 2020, 10:10 PM
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.13; 2020-10-12).Oct 6 2020, 11:00 PM
sbassett closed this task as Resolved.Oct 14 2020, 8:51 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits