Page MenuHomePhabricator
Create Task
Maniphest T90526

Graphoid for private wikis / Keep session data per request in Vega
Closed, DeclinedPublic
Actions

Description

During request processing, graphoid anonymously calls allowed public wikis (e.g. en.wikipedia.org), without forwarding any user session data. In order to allow graphoid use on the private wikis, it needs to forward the session state to the private wikis.

This implies that:

  • Vega library needs to keep the context of the rendering request so that the data loader could forward relevant session data
  • We need a plan how to keep graphoid in the same security zone as the private wiki
    • Possible ideas - one graphoid instance per private wiki, e.g. zero.wikimedia.org => graphoid.zero.wikimedia.org, plus custom rules that allow session data to be forwarded only to zero.wikimedia.org, but make anonymous calls to all other allowed wikis.

Related Objects
Search...

Event Timeline

Yurik created this task.Feb 24 2015, 3:55 AM
Yurik raised the priority of this task from to Needs Triage.
Yurik updated the task description. (Show Details)
Yurik added projects: MediaWiki-extensions-Graph, Security-General.
Yurik added subscribers: Yurik, Milimetric.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 24 2015, 3:55 AM
Yurik set Security to None.Feb 24 2015, 3:55 AM
Yurik moved this task from Backlog to Graphoid on the MediaWiki-extensions-Graph board.
Yurik added a subscriber: DFoy.
Yurik added a parent task: T90496: Pass on the user authentication when requesting graph def & data.Feb 24 2015, 3:57 AM
Liuxinyu970226 subscribed.Feb 24 2015, 5:01 AM
Yurik mentioned this in T93126: Perform a security review of graphoid.Apr 9 2015, 9:26 PM
Ricordisamoa subscribed.Apr 16 2015, 3:02 PM
Yurik edited projects, added Graphoid; removed MediaWiki-extensions-Graph.Apr 16 2015, 9:19 PM
Yurik triaged this task as Medium priority.May 11 2015, 11:27 PM
csteipp mentioned this in T98313: Graphs can leak tokens, leading to CSRF.May 11 2015, 11:58 PM
Yurik added a subtask: T98868: Change Vega implementation to pass context.May 12 2015, 2:36 PM
Yurik closed subtask T98868: Change Vega implementation to pass context as Resolved.Jan 8 2016, 7:31 AM
Phabricator_maintenance added a project: acl*security.Sep 20 2018, 9:15 AM
Aklapper removed a project: Security-General.Dec 13 2019, 10:46 AM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Aklapper closed this task as Declined.Nov 7 2020, 10:04 AM

Graphoid is not actively worked on anymore and is being phased out / sunsetted / undeployed / archived (see T211881, T242855, T236892).
Boldly declining this task.

Milimetric mentioned this in T249419: RFC: Render data visualizations on the server.Nov 24 2020, 11:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits