Page MenuHomePhabricator

"toggle Desktop/Mobile view" misbehaves on HTTP sites
Closed, ResolvedPublic

Description

Due to commit 8b754f (from task T238076: Alert group Cookie(s) without Secure flag set), the stopMobileRedirect cookie wouldn't be sent to servers without HTTPS, which causes redirecting to desktop/mobile wouldn't be persistent.Will it be better having a protocol check before the cookie is set to be true?

Event Timeline

StarHeartHunt renamed this task from "toggle Mobile view" misbehaves on HTTP sites to "toggle Desktop/Mobile view" misbehaves on HTTP sites.Oct 3 2020, 2:00 PM
sbassett triaged this task as Medium priority.Oct 5 2020, 3:23 PM
sbassett added a subscriber: sbassett.

Due to commit 8b754f, the stopMobileRedirect cookie wouldn't be sent to servers without HTTPS

So this shouldn't affect any Wikimedia projects, though I suppose it could affect other installations of MediaWiki running MobileFrontend without TLS. I'm not sure we'd want to passively encourage that behavior with a protocol check. Pulling that out into a configuration variable with the default being 'secure' => true would be the better approach IMO.

Change 632263 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/MobileFrontend@master] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632263

Change 632557 had a related patch set uploaded (by Reedy; owner: SBassett):
[mediawiki/extensions/MobileFrontend@REL1_35] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632557

Change 632263 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632263

Change 632557 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@REL1_35] Make secure attribute of redirect cookie a configuration variable

https://gerrit.wikimedia.org/r/632557

sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.