Page MenuHomePhabricator

TemplateStyles doesn't recognize @import rule
Closed, DeclinedPublicBUG REPORT

Description

According to https://www.mediawiki.org/wiki/Extension:TemplateStyles, @import rules should work for external domains explicitly whitelisted via $wgTemplateStylesAllowedUrls in LocalSettings.php. However, they currently do not work.

To reproduce, add the following to any template style sheet and hit PREVIEW:

@import 'https://www.example.com/styles.css';

You get the error 'Unrecognized or unsupported rule at line 1 character 1.'

  • I tried with @import url( 'https://www.example.com/styles.css' ); and got the same result
  • I verified that this isn't due to the domain not being listed in $wgTemplateStylesAllowedUrls by setting $wgTemplateStylesAllowedUrls['css'] = [ '/.*/' ]; in a development wiki
  • I verified that this isn't about @ rules in general by adding @namespace 'Foo' to a template style sheet
  • This issue is similar and may be related to T293633

Event Timeline

Sophivorus updated the task description. (Show Details)
Sophivorus updated the task description. (Show Details)
Ilovemydoodle subscribed.

Speedily declined, for many reasons:

  1. Security: This would result in a giant mess of potential security violations.
  2. Copyright: The copyright of the external website is often unknown.
  3. Reliability: External sites could potentially break Wikimedia sites at any time without warning if they changed css files.
  4. Not necessary: If there is really good copyright-free css from other websites, we can just copy it to the local site rather than having to access from a potentially unreliable third-party source.
Sophivorus reopened this task as Open.EditedAug 19 2022, 8:30 PM

Sorry, maybe I should have clarified: support for @import is documented at Extension:TemplateStyles (even though it doesn't work), but the external domains need to be explicitly whitelisted via $wgTemplateStylesAllowedUrls, so there's no security/copyright/reliability risk at all unless the wiki admin is willing to accept it. I just updated the task description to clarify this.

This feature is currently not used on Wikimedia wikis, but perhaps one day it will (for example for centralized style sheets in Commons), and in any case third-party wikis could benefit from it. For instance, I created this task because it's quite a blocker for prototyping Wikitemplates, a project proposal for a central template repository.

Sophivorus updated the task description. (Show Details)
Sophivorus updated the task description. (Show Details)

Sorry, maybe I should have clarified: support for @import is documented at https://www.mediawiki.org/wiki/Extension:TemplateStyles (even though it doesn't work), but the external domains need to be explicitly whitelisted via $wgTemplateStylesAllowedUrls, so there's no security/copyright/reliability risk at all unless the wiki admin is willing to accept it. I just updated the task description to clarify this.

@Sophivorus Thank you for the clarification, but in the future, please clarify things like this, otherwise they will usually be closed as a security vulnerability.

@Sophivorus Also, this could have been marked as a bug report to avoid confusion.

Change 824799 had a related patch set uploaded (by Sophivorus; author: Sophivorus):

[mediawiki/extensions/TemplateStyles@master] Enable @import for whitelisted domains

https://gerrit.wikimedia.org/r/824799

I just sent a patch-for-review that enables @import for whitelisted domains. There was a comment in the code that said that @import was disabled for security reasons, but I couldn't find an explanation of the reasons, considering that @import rules only work for whitelisted domains. It may have been just a precaution with no specific reason, but now that there's at least some users (the supporters of the Wikitemplates project proposal) interested in that this feature is enabled, I trust that the patch can be merged and the feature enabled. Cheers!

Izno changed the subtype of this task from "Task" to "Bug Report".Jan 14 2023, 12:58 AM
Tgr subscribed.

It's insecure because you can't verify that the CSS being imported has been sanitized. I guess it could be used to import CSS files from the MediaWiki: namespace if the URL regex is constructed very carefully. It would make tracking of which CSS files are used sitewise harder, though.

It would also be problematic for performance: the CSS stylesheet URL would only be loaded when the importing stylesheet is parsed, in a separate request, unminified. CSS is render-blocking so that could quickly become unmanageable, even more so if it's done cross-domain which the Wikitemplates proposal seems to suggest.

T285173: Allow @import of local sanitised CSS files into other sanitised CSS files on same wiki has more related discussion.

Izno subscribed.

I don't think it's appropriate to decline this report per T315667#8169992 . Someone went out of their way to say it's supported already. At a minimum there should be agreement that the documentation and related configuration variable should be removed.

I fixed the documentation.

FWIW you can use the TemplateStylesStylesheetSanitizer hook to introduce arbitrary sanitization rules if you really want. We shouldn't provide things by default if we consider them a bad idea, though.

Well, I explained 2 times already that the feature isn't insecure since the wiki admin has to whitelist domains explicitly, so any security or performance implications can be easily documented and will be at his/her own risk. That being said, Wikitemplates has currently zero real support so why care. Thanks for taking the time to review this, cheers.

Change 824799 abandoned by Sophivorus:

[mediawiki/extensions/TemplateStyles@master] Enable @import for whitelisted domains

Reason:

https://gerrit.wikimedia.org/r/824799