Page MenuHomePhabricator
Create Task
Maniphest T50381

Remove '-', 'MediaWiki:Monobook.css' and 'MediaWiki:Monobook.js' from wgWhitelistRead in InitialiseSettings.php
Closed, ResolvedPublic
Actions

Description

Author: Thehelpfulonewiki

Description:
Specifically for

'private' => array( 'Main Page', 'Special:Userlogin', 'Special:Userlogout', '-', 'MediaWiki:Monobook.css', 'MediaWiki:Monobook.js' ),

I don't think that those two pages need to be seen by users without an account because Vector is the default skin now. I believe we use MediaWiki:Common.js throughout wikis now instead of skin specific common files, but I'm not sure we need to allow people without accounts to see those either.

Version: wmf-deployment
Severity: normal

Details

Reference
bz48381

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:29 AM
bzimport added projects: Wikimedia-Site-requests, Shell.
bzimport set Reference to bz48381.
bzimport created this task.May 12 2013, 3:33 PM
liangent added a comment.May 12 2013, 3:42 PM

I believe these entries were needed in the age when site CSS and JS were loaded with index.php?action=raw&ctype= so people can load them before logging in. With the introduction of ResourceLoader I don't think this and similar items are still needed.

Dereckson added a comment.May 13 2013, 9:35 AM

I would like confirmation from a ResourceLoader/JS guy.

[ Adding Matma Rex as CC ]

matmarex added a comment.May 13 2013, 9:50 AM

I think Thehelpfulone and Liangent are right, but since I'm no ResourceLoader guy, I'm CC-ing Krinkle instead.

Aklapper added a comment.Jun 25 2013, 10:41 AM

Krinkle: Could you answer comment 2, please?

MZMcBride added a comment.Jun 26 2013, 3:17 AM

Why is '-' included (just curious)?

liangent added a comment.Jun 26 2013, 3:41 AM

(In reply to comment #5)

Why is '-' included (just curious)?

In the past, &title=- was used in JS loading and I believe this was the reason to include '-' in wgWhitelistRead.

Krinkle added a comment.Jun 26 2013, 7:28 AM

MediaWiki:Monobook.css and MediaWiki:Monobook.js are redundant indeed.

Note that you should still not put private information in there[1] as ResourceLoader's entry point essentially bypasses the whitelist indirectly through it's package for the 'site' module.

[1] there being both Common.js, Common.css as well as any skin .css/.js page.

gerritbot added a comment.Jul 14 2013, 2:43 AM

Change 73603 had a related patch set uploaded by TTO:
(bug 48381) remove obsolete js/css entries from $wgWhitelistRead

https://gerrit.wikimedia.org/r/73603

gerritbot added a comment.Jul 17 2013, 4:41 PM

Change 73603 merged by jenkins-bot:
(bug 48381) remove obsolete js/css entries from $wgWhitelistRead

https://gerrit.wikimedia.org/r/73603

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL