Page MenuHomePhabricator
Create Task
Maniphest T670

phabricator.wikimedia.org uses JavaScript from external domain wmfusercontent.org
Closed, DeclinedPublic
Actions

Description

phabricator uses javascript from the external domain wmfusercontent.org. I very doubt this is a good idea.

Related Objects

Event Timeline

DaBPunkt created this task.Oct 16 2014, 4:35 PM
DaBPunkt updated the task description. (Show Details)
DaBPunkt added a project: Phabricator.
DaBPunkt changed Security from none to None.
DaBPunkt subscribed.
jeremyb-phone subscribed.Oct 16 2014, 5:10 PM

Could you give some more details? URL?

jeremyb-phone added a comment.Oct 16 2014, 5:16 PM

in particular, why is this a problem?

chasemp subscribed.Oct 16 2014, 5:18 PM

wmfusercontent.org domain is owned and operated by WMF for this purpose as a security measure

chasemp added a comment.Oct 16 2014, 5:23 PM

https://phabricator.wikimedia.org/T367

Krenair closed this task as Invalid.Oct 16 2014, 5:30 PM
Krenair subscribed.
Nemo_bis changed the task status from Invalid to Declined.Oct 17 2014, 5:08 PM
Nemo_bis claimed this task.

I'll note that it adds some 10 % to loading times just for the additional SSL negotiation.
http://www.webpagetest.org/result/141017_E1_WTE/1/details/

Aklapper renamed this task from Uses JavaScript from external domain to phabricator.wikimedia.org uses JavaScript from external domain wmfusercontent.org.Oct 17 2014, 5:47 PM
Aklapper merged a task: T619: Can't set a project for this task.
Aklapper added subscribers: Nemo_bis, Qgil.
jeremyb edited subscribers, added: jeremyb; removed: jeremyb-phone.Oct 27 2014, 11:44 PM
matmarex subscribed.Feb 1 2015, 6:40 PM

Um, this definitely looks like some kind of misconfiguration to me. wmfusercontent.org, as the name says, is presumably intended to be used for user-uploaded content like task attachments, with the different TLD serving to make it impossible to steal cookies from the real site using uploaded HTML attachments, and the like – however, currently it is used both for these and for built-in Phabricator styles and scripts. This is not insecure in any way, of course, but it does cause spidey senses to tingle.

If we want to serve static content from a separate domain which has no cookies set (which is reasonable and possibly a performance improvement in some cases), then I think we should use phabricator-static.wikimedia.org, or something like that, and not reuse phab.wmfusercontent.org.

matmarex mentioned this in T104730: Phabricator dependence on wmfusercontent.org.Jul 6 2015, 5:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL