Page MenuHomePhabricator
Create Task
Maniphest T379205

Donate sidebar link consistency (sitesupport-url)
Closed, ResolvedPublic
Actions

Description

I reviewed the current situation with the "Donate" link in the sidebar of Wikimedia wikis, which is controlled with sitesupport-url.

  • The default sidebar, defined by wikimedia-sidebar in WikimediaMessages, has an item with a link to sitesupport-url. Wikis often customise [[MediaWiki:Sidebar]], copying this list item. This is used by most skins.
  • WikimediaMessages has a hook which, if $wgWikimediaMessagesAnonDonateLink is true, fetches sitesupport-url and adds a link to it in the user-page section.
  • The Minerva skin has insertDonateItem(), which fetches the sitesupport-url message and appends utm_key=minerva to it.
  • In WikimediaMessages, there is a default sitesupport-url which goes to https://donate.wikimedia.org/?utm_source=donate&utm_medium=sidebar&utm_campaign=spontaneous&uselang=en
  • The documentation indicates that translators are expected to copy this message and replace the uselang parameter with their own language code. Some have done so.
  • In addWiki.php in WikimediaMaintenance, the sitesupport-url for new wikis is overridden by writing https://donate.wikimedia.org/?utm_source=donate&utm_medium=sidebar&utm_campaign=$domain&uselang=$wgContLang to [[MediaWiki:Sitesupport-url]].
  • Many (most?) wikis have customised [[MediaWiki:Sitesupport-url]], setting it to something like https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en, a 2013 hack implemented by staff as noted in T136134.

The drawbacks of this situation are:

  • It is non-trivial to change the donate link. All these places would have to be changed, including editing every wiki.
  • The uselang parameter generally reflects the content language of the source wiki. Sidebar URLs are fetched from the content language so translation of the sitesupport-url message in WikimediaMessages is not effective.
  • The utm_campaign parameter is not consistent.
  • There is code in addWiki.php which I want to remove to make T352113 simpler.

Proposal:

  • In WikimediaMessages en.json, set sitesupport-url to https://donate.wikimedia.org/?utm_source=donate&utm_medium=sidebar&utm_campaign={{SERVERNAME}}&uselang={{USERLANGUAGE}}. I tested this locally, the variables are expanded. For sidebar links, {{USERLANGUAGE}} is always the content language, but for Minerva and $wgWikimediaMessagesAnonDonateLink links, it is the user language, if $wgParserEnableUserLanguage is true.
  • In WikimediaMessages qqq.json, set sitesupport-url to {{notranslate}} and delete the existing translations.
  • Remove the addWiki.php code.
  • Delete all the [[MediaWiki:Sitesupport-url]] pages.

Details

SubjectRepoBranchLines +/-
Stop translating sitesupport-urlmediawiki/extensions/WikimediaMessagesmaster+2 -127
Stop creating MediaWiki:Sitesupport-url on new wikismediawiki/extensions/WikimediaMaintenancemaster+2 -35
Customize query in gerrit

Related Objects

Event Timeline

tstarling created this task.Nov 6 2024, 10:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 6 2024, 10:49 PM
tstarling updated the task description. (Show Details)Nov 6 2024, 11:04 PM
gerritbot added a comment.Nov 6 2024, 11:24 PM

Change #1087986 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/extensions/WikimediaMessages@master] Stop translating sitesupport-url

https://gerrit.wikimedia.org/r/1087986

gerritbot added a project: Patch-For-Review.Nov 6 2024, 11:24 PM
gerritbot added a comment.Nov 6 2024, 11:28 PM

Change #1087988 had a related patch set uploaded (by Tim Starling; author: Tim Starling):

[mediawiki/extensions/WikimediaMaintenance@master] Stop creating MediaWiki:Sitesupport-url on new wikis

https://gerrit.wikimedia.org/r/1087988

Peachey88 subscribed.Nov 7 2024, 12:10 AM
Pppery added projects: WikimediaMessages, MediaWiki-extensions-WikimediaMaintenance.Nov 7 2024, 3:30 AM
Pppery awarded a token.
Tgr subscribed.Nov 11 2024, 9:38 AM

Delete all the [[MediaWiki:Sitesupport-url]] pages.

Cleaning up those pages and then preventing recreation (e.g. by adding it to $wgRawHtmlMessages) would also be a slight security improvement. An attacker with interface edit rights who manages to redirect the donation URL to their own site could use it to steal donor PII, credit card data etc.

It's only a slight improvement because 1) attacks with interface edit rights are very rare and 2) you can just edit MediaWiki:Sidebar anyway and it's not realistic to lock that down. But it's also likely to be watchlisted by way more people, so I think it would still have some value.

Restricted Application added a subscriber: jhsoby. · View Herald TranscriptNov 11 2024, 9:38 AM
AKanji-WMF moved this task from Triage to Blocked or not fr-tech on the Fundraising-Backlog board.Nov 12 2024, 9:08 PM
AKanji-WMF added subscribers: Pcoombe, AKanji-WMF.

cc: @Pcoombe

Jdlrobson added projects: FY2024-25 WE3.2 Donation Entry Points, Web-Team.Nov 14 2024, 7:04 PM
Jdlrobson subscribed.

Tagging web team given this relates to an existing OKR.

tstarling added a comment.Nov 15 2024, 5:32 AM

I mostly need someone from fundraising to sign off on the change to utm_campaign or to express an opinion on the correct value of that parameter. Other than that, it should be uncontroversial and reviewable by anyone.

SToyofuku-WMF subscribed.Nov 18 2024, 6:19 PM
Jdlrobson removed a project: Web-Team.Nov 18 2024, 7:29 PM

Web team discussed this today - we don't need to be involved with code review here but would appreciate a ping when the patch is merged so we can check things our side ( @Pcoombe @AKanji-WMF )

Pcoombe added a comment.Nov 21 2024, 9:02 PM

Thanks so much for digging into this @tstarling! Cleaning up this mess and standardising the links has been on my wishlist for a long time, but I didn't really know where to start. Your proposal sounds great to me.

One request: can we change the links to use wmf_ as a prefix instead of utm_? We've been gradually shifting donation links to use this since an increasing number of clients strip any utm_ parameters from urls (T367361) So https://donate.wikimedia.org/?wmf_source=donate&wmf_medium=sidebar&wmf_campaign={{SERVERNAME}}&uselang={{USERLANGUAGE}}

I would also support @Tgr's proposal in T379205#10308647 to prevent local creation of these messages, for the purposes of security and traceability.

gerritbot added a comment.Nov 22 2024, 5:09 AM

Change #1087988 abandoned by Tim Starling:

[mediawiki/extensions/WikimediaMaintenance@master] Stop creating MediaWiki:Sitesupport-url on new wikis

Reason:

superseded by I7048751db901427a95d52ada898b4b66c5a7aaea

https://gerrit.wikimedia.org/r/1087988

tstarling added a comment.Nov 22 2024, 6:29 AM
In T379205#10346390, @Pcoombe wrote:

One request: can we change the links to use wmf_ as a prefix instead of utm_? We've been gradually shifting donation links to use this since an increasing number of clients strip any utm_ parameters from urls (T367361) So https://donate.wikimedia.org/?wmf_source=donate&wmf_medium=sidebar&wmf_campaign={{SERVERNAME}}&uselang={{USERLANGUAGE}}

Done.

gerritbot added a comment.Nov 22 2024, 3:00 PM

Change #1087986 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Stop translating sitesupport-url

https://gerrit.wikimedia.org/r/1087986

Maintenance_bot removed a project: Patch-For-Review.Nov 22 2024, 3:30 PM
Pcoombe added a comment.Thu, Dec 5, 3:49 PM

Any idea how we can get the local [[MediaWiki:Sitesupport-url]] overrides deleted?

jhsoby added a comment.Thu, Dec 5, 7:49 PM
In T379205#10383802, @Pcoombe wrote:

Any idea how we can get the local [[MediaWiki:Sitesupport-url]] overrides deleted?

User:Maintenance script has performed some crosswiki deletions in the past, most recently in conjunction with T219279. Maybe the people involved with that task can help with this too?

Pppery added subscribers: matmarex, Pppery.Thu, Dec 5, 8:48 PM

I suspect it's probably easier for someone in the staff global group to do it on-wiki via the API than to run a maintenance script. @matmarex did that for T375789 for example.

Stashbot added a comment.Fri, Dec 6, 1:32 AM

Mentioned in SAL (#wikimedia-operations) [2024-12-06T01:32:10Z] <TimStarling> on mwmaint2002: deleting [[MediaWiki:Sitesupport-url]] pages per T379205

Pppery unsubscribed.Fri, Dec 6, 1:37 AM
tstarling closed this task as Resolved.Fri, Dec 6, 1:52 AM
tstarling claimed this task.

I deleted them.

Pcoombe added a comment.Fri, Dec 6, 12:32 PM

Fantastic, thanks!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits