Page MenuHomePhabricator
Create Task
Maniphest T392431

Implement a reverse proxy for gitlab.wikimedia.org raw content that supports mime-type specification
Closed, ResolvedPublicFeature
Actions

Description

As a technical contributor
I want to load javascript and css content hosted on gitlab.wikimedia.org in userscripts and/or gadgets on Wikimedia wikis
So I can implement collaborative workflows using git and CI.

GitLab serves raw content with Content-Type: text/plain and X-Content-Type-Options: nosniff headers which prevents us from trivially linking to content hosted on the service. These are reasonable protections from various forms of MIME confusion and XSS attacks. The upstream has rejected requests for integrated raw content delivery on multiple occasions.

Use of a reverse proxy separates sessions that visitors may have on the gitlab.wm.o site from the delivery of content by the Toolforge tool diffusing XSS attacks against the gitlab site. This can be seen as operating similarly to gitlab pages by delivering the content from a separate domain.

Related: T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis

Details

Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Do the proxy thingstoolforge-repos/gitlab-content!2bd808work/bd808/do-the-thingmain
Customize query in GitLab

Related Objects

Event Timeline

bd808 created this task.Apr 22 2025, 4:34 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 22 2025, 4:34 PM
bd808 claimed this task.Apr 22 2025, 4:41 PM
bd808 triaged this task as Medium priority.
bd808 added a project: Wikimedia-Hackathon-2025.

I plan to work on a implementation for this idea during the Wikimedia-Hackathon-2025.

https://gitlab.wikimedia.org/toolforge-repos/prototyper-proxy/-/blob/c6f29129b3208fb1903f495a12d08063f2a6ddef/index.php is a narrowly focused service that I built a few months ago as part of another hackathon event. I am aware of the prior discussions in T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis and believe that the primary reason for declining that task was that implementation within gitlab.wikimedia.org itself would be problematic for various reasons.

Restricted Application added a project: User-bd808. · View Herald TranscriptApr 22 2025, 4:41 PM
bd808 moved this task from Backlog to Hacking projects on the Wikimedia-Hackathon-2025 board.Apr 22 2025, 4:42 PM
bd808 moved this task from To Do to Volunteer time on the User-bd808 board.
Nemoralis subscribed.Apr 22 2025, 11:46 PM
CodeReviewBot added a project: Patch-For-Review.May 3 2025, 2:07 PM

bd808 opened https://gitlab.wikimedia.org/toolforge-repos/gitlab-content/-/merge_requests/2

Do the proxy things

CodeReviewBot added a comment.May 3 2025, 2:08 PM

bd808 merged https://gitlab.wikimedia.org/toolforge-repos/gitlab-content/-/merge_requests/2

Do the proxy things

Maintenance_bot removed a project: Patch-For-Review.May 3 2025, 2:30 PM
bd808 changed the task status from Open to In Progress.May 3 2025, 2:45 PM
bd808 removed a project: Epic.
bd808 moved this task from Ready to Doing on the Tool-gitlab-content board.May 4 2025, 12:01 PM
Nemoralis added a project: User-notice.May 6 2025, 8:57 PM

I don't remember if this was shown at the Hackathon showcase, but it would be great if we added it to the Tech News.

https://gitlab-content.toolforge.org/

bd808 added a comment.May 6 2025, 9:06 PM
In T392431#10797987, @Nemoralis wrote:

I don't remember if this was shown at the Hackathon showcase, but it would be great if we added it to the Tech News.

https://gitlab-content.toolforge.org/

It didn't make it into the showcase due to time constraints. I have a task to do some more documentation at T393330: Add maintainer docs and user usage instructions to wikitech:Tool:Gitlab-content and am planning on a wikitech-l email to go along with that. Let's see if I can do all that in time for the next Tech News. :)

debt mentioned this in T391688: [Session] 🥳 Wikimedia Hackathon 2025 Project Showcase / Closing Session.May 7 2025, 11:53 AM
UOzurumba subscribed.May 8 2025, 12:40 AM

Hello @bd808, for tech news - What wording would you suggest as the content, and When should it be included? Thanks!

UOzurumba moved this task from To Triage to Announce in next Tech/News on the User-notice board.May 8 2025, 6:44 PM
bd808 added a comment.May 9 2025, 10:38 PM

Announced to wikitech-l: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/VSUAG3BG7EKGDRAYXQDJLEZUU3XMZCB2/

bd808 added a comment.EditedMay 9 2025, 10:46 PM
In T392431#10802966, @UOzurumba wrote:

Hello @bd808, for tech news - What wording would you suggest as the content, and When should it be included? Thanks!

Maybe something like this? It can run whenever y'all are happy with the prose. It is probably too late to get it into the 2025-05-12 issue, but the following week will be fine.

Userscript developers can use a new reverse proxy tool to load javascript and css from gitlab.wikimedia.org with mw.loader.load. The tool's author hopes this will enable collaborative development workflows for userscripts including linting, unit tests, code generation, and code review on gitlab.wikimedia.org without a separate copy-and-paste step to publish scripts to a Wikimedia wiki for integration and acceptance testing. See https://wikitech.wikimedia.org/wiki/Tool:Gitlab-content for more information.

bd808 closed this task as Resolved.May 15 2025, 11:28 PM
In T392431#10808847, @bd808 wrote:
In T392431#10802966, @UOzurumba wrote:

Hello @bd808, for tech news - What wording would you suggest as the content, and When should it be included? Thanks!

Maybe something like this? It can run whenever y'all are happy with the prose. It is probably too late to get it into the 2025-05-12 issue, but the following week will be fine.

Userscript developers can use a new reverse proxy tool to load javascript and css from gitlab.wikimedia.org with mw.loader.load. The tool's author hopes this will enable collaborative development workflows for userscripts including linting, unit tests, code generation, and code review on gitlab.wikimedia.org without a separate copy-and-paste step to publish scripts to a Wikimedia wiki for integration and acceptance testing. See https://wikitech.wikimedia.org/wiki/Tool:Gitlab-content for more information.

I added this wording at https://meta.wikimedia.org/w/index.php?title=Tech/News/2025/21&diff=prev&oldid=28740345. Edits welcome there before things get locked down for translation.

Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.May 16 2025, 6:17 PM
Quiddity moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.May 23 2025, 12:15 AM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Jun 2 2025, 12:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits