phabricator.wikimedia.org uses JavaScript from external domain wmfusercontent.org
Closed, DeclinedPublic

Description

phabricator uses javascript from the external domain wmfusercontent.org. I very doubt this is a good idea.

DaBPunkt created this task.Oct 16 2014, 4:35 PM
DaBPunkt updated the task description. (Show Details)
DaBPunkt added a project: Phabricator.
DaBPunkt changed Security from none to None.
DaBPunkt added a subscriber: DaBPunkt.

Could you give some more details? URL?

in particular, why is this a problem?

wmfusercontent.org domain is owned and operated by WMF for this purpose as a security measure

Krenair closed this task as Invalid.Oct 16 2014, 5:30 PM
Krenair added a subscriber: Krenair.
Nemo_bis changed the task status from Invalid to Declined.Oct 17 2014, 5:08 PM
Nemo_bis claimed this task.

I'll note that it adds some 10 % to loading times just for the additional SSL negotiation.
http://www.webpagetest.org/result/141017_E1_WTE/1/details/

Aklapper renamed this task from Uses JavaScript from external domain to phabricator.wikimedia.org uses JavaScript from external domain wmfusercontent.org.Oct 17 2014, 5:47 PM
Aklapper added subscribers: Nemo_bis, Qgil.
jeremyb edited subscribers, added: jeremyb; removed: jeremyb-phone.Oct 27 2014, 11:44 PM

Um, this definitely looks like some kind of misconfiguration to me. wmfusercontent.org, as the name says, is presumably intended to be used for user-uploaded content like task attachments, with the different TLD serving to make it impossible to steal cookies from the real site using uploaded HTML attachments, and the like – however, currently it is used both for these and for built-in Phabricator styles and scripts. This is not insecure in any way, of course, but it does cause spidey senses to tingle.

If we want to serve static content from a separate domain which has no cookies set (which is reasonable and possibly a performance improvement in some cases), then I think we should use phabricator-static.wikimedia.org, or something like that, and not reuse phab.wmfusercontent.org.