Page MenuHomePhabricator
Create Task
Maniphest T275402

Security Readiness Review For UseResource
Closed, DeclinedPublic
Actions

Description

Project Information

Description of the tool/project:
The UseResouce uses the <usescript> and <usestyle> tags to allow for the loading of JavaScript and CSS pages in the MediaWiki namespace on a per-page basis.

Description of how the tool will be used at WMF:
The extension would be used to allow loading JavaScript and their accompanying CSS files relating to certain projects to only be loaded on the pages where they are needed so they wouldn't have to be loaded on every pageview through Common.js/Common.js or the Gadgets extension.

Dependencies
None

Has this project been reviewed before?
No

Working test environment
Install like any normal MediaWiki extension (instructions). To test extension you can create a JavaScript or CSS file in the MediaWiki namespace and load it using <usescript src="FILE"> (for JavaScript) or <usestyle src="FILE"> (for CSS).

Post-deployment
No time at the time, BrandonXLF is responsible for developing and maintaining the extension.

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT275403 Deploy 'UseResource' extension on MediaWiki wikis
 DeclinedNoneT275402 Security Readiness Review For UseResource

Event Timeline

BrandonXLF created this task.Feb 22 2021, 3:59 PM
Restricted Application added a project: secscrum. · View Herald TranscriptFeb 22 2021, 3:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
BrandonXLF mentioned this in T275403: Deploy 'UseResource' extension on MediaWiki wikis.Feb 22 2021, 3:59 PM
BrandonXLF added a parent task: T275403: Deploy 'UseResource' extension on MediaWiki wikis.
RhinosF1 subscribed.EditedFeb 22 2021, 4:03 PM

How does the differ from TemplateStyles?
Is there any plan to deploy this to WMF sites? just seen

BrandonXLF added a comment.Feb 22 2021, 4:06 PM
In T275402#6849230, @RhinosF1 wrote:

How does the differ from TemplateStyles?
Is there any plan to deploy this to WMF sites? just seen

TemplateStyles only allows for the loading of CSS on a per-page basis, this extension allows for both JavaScript and CSS. Unlike TemplateStyles, the CSS is not modified to only apply to page content, so CSS loaded with this extension can apply to HTML outside of the page content (for example popups created by loaded JavaScript).

RhinosF1 added a comment.EditedFeb 22 2021, 4:08 PM

Thanks for the explanation. Interested to see the result as I could image concerns with anyone able to modify a pages raw html (which with JavaScript access I'm sure could be embedded in and modified without great difficulty.)

Legoktm subscribed.Feb 22 2021, 4:33 PM

This seems to solve a long-standing request for the Gadgets extension T63007: Allow specifying when a gadget should load (action, namespace, content model) among others. But I think adding a separate extension for this will just add more technical debt, and we're already in a lot of debt with Gadgets. I think working on finishing Gadgets 2.0 would be a much better use of resources than trying to deploy and maintain a separate extension, if you'd be interested in working on that.

BrandonXLF added a comment.Feb 22 2021, 4:44 PM
In T275402#6849357, @Legoktm wrote:

This seems to solve a long-standing request for the Gadgets extension T63007: Allow specifying when a gadget should load (action, namespace, content model) among others. But I think adding a separate extension for this will just add more technical debt, and we're already in a lot of debt with Gadgets. I think working on finishing Gadgets 2.0 would be a much better use of resources than trying to deploy and maintain a separate extension, if you'd be interested in working on that.

I already made https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Gadgets/+/624517 (for namespaces), but there's no one maintaining the Gadgets extension to review and merge the change. Using gadgets for the use case of this extension is basically impossible since you would need to add the title of each page that uses the gadget to the gadget definition, which could be thousands of pages.

sbassett changed the task status from Open to Stalled.Feb 23 2021, 5:48 PM
sbassett triaged this task as Lowest priority.
sbassett moved this task from Incoming to Back Orders on the secscrum board.
Aklapper added a subscriber: sbassett.Feb 23 2021, 6:39 PM

@sbassett: Hi, what is this task stalled (waiting for further input (e.g. from the task author or a third party like upstream) and can currently not be acted on) on exactly?

sbassett added a comment.Feb 23 2021, 7:03 PM

@Aklapper - a number of items from the Security-Team's perspective. For starters: there's no estimated deployment date which is a hard requirement for us to schedule reviews. It also doesn't satisfy a number of requirements for higher priority or status as described within the "What type of project or code triggers this review process?" and "How are these requests prioritized?" sections of the current security readiness review SOP. There are also questions above as to whether this extension would be the best approach for the current indicated problem. Given all of that, this review will have to be very low-priority for the Security-Team. If you'd like to change the task to "Open", I guess that's fine, though it won't really change how the Security-Team currently views this task.

Aklapper added a comment.Feb 24 2021, 9:06 AM

@sbassett: Thanks a lot for elaborating, as it helps requesters and interested folks to better understand what's blocking. Appreciated.

Xaosflux subscribed.Feb 24 2021, 11:41 AM
JBennett closed this task as Declined.Apr 8 2021, 3:54 PM
JBennett subscribed.

The Security team is updating their readiness review SOP to reflect a new change that any request that has aged 90 days without being in a reviewable state will be declined. We do this to help keep our work area current, accurate and reflective of actual work. If the status of your project changes please re-tag us and we will get this work scheduled.

Jcross removed projects: Application Security Reviews, secscrum.Apr 8 2021, 6:36 PM
Aklapper added a project: Application Security Reviews.Apr 9 2021, 7:29 AM
Aklapper added a subscriber: Jcross.

@Jcross: Please do not remove correct metadata as it makes it harder to find tasks. This is and was a security readiness review request (which has been declined). Thanks.

Restricted Application added a project: secscrum. · View Herald TranscriptApr 9 2021, 7:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL