I work on the MediaWiki Security Team.
Its probably technically easier to do it for all (although probably politically harder)
Related to task T91535
So digging further into the code, I can confirm, that mass message bot messages get classified as unknown-unsigned-addition (probably because the fake sig that involves interwiki links) which don't send the header. Its unclear to me if that's generally something that should change for all unsigned-addition's or if we should special case it for mass message. Like if someone adds a section, why does it matter if they sign their edit or not?
So testing locally, it looks like it only includes the section header in the email alert if it detects a signature.
Oh, issue was that the <pre> tag wasn't closed, and i didn't notice. My bad. Behaviour is still weird, but its the same weirdness between MW core parser and flow, so not a bug.
Sorry, i missed the notice about the earlier ping.
Well, I've never done a user rename on phab before, but there's a button labelled rename user, and it seemed to work, so hopefully that's all that needs to be done.
Mon, Nov 11
@Bawolff see https://www.oauth.com/oauth2-servers/single-page-apps/ for how OAuth 2 can be accomplished without a server or an app secret. Effectively it relies on HTTPS (and the server) giving the client id and secret to only the registered app domain (via a redirect). In this way, unless the app gives away the client secret (or the client does) requests from that client id and secret are known to come only from that application. I'm not sure if this can be accomplished with OAuth 1.0 as it does not require HTTPS (afaik).
The easier way must not exclude other ways w/o at least one trial.
My bad, you are correct. I did confuse myself
This gives ip addresses - checkuser essentially. I think legal needs to approve this
Sun, Nov 10
Moving files breaks hotlinking
So the current API mostly works under the assumption that authenticated CORS requests come from trusted (i.e. WMF operated) websites only. To use cookie authentication w/CSRF tokens for other websites is probably possible in theory, but would involve a much more complicated flow. I don't really think we should do that unless we have to.
Fri, Nov 8
I think it would be interesting to try adding a per-user concurrency limit of say 2, enforced with PoolCounter. I don't think PoolCounter has been used in that way before, but I think it should work.
Thu, Nov 7
I would be concerned about the increased potential for phising and viruses/other malicious attachments.
Wed, Nov 6
PPS. Fixing this phab would also obviate the need for the tasks blocked on T145966. I think we can safely conclude that Extension:DeleteBatch will never be adapted to get by @Bawolff's watchful eye; but maybe there is some synergy in making Extension:DynamicPageList and Extension:Nuke talk to each other?
For what it's worth, I do intend to look into this.
Mon, Nov 4
Is the 500 limit on special:contribs even meant to be permenent or just temporary stop gap?
Sun, Nov 3
Didn't realize i could do this myself. https://phabricator.wikimedia.org/project/view/4365/ done now
A small number of browsers seem to want android-webview-video-poster: as a source when viewing videos, but the number of reports are small enough its not clear if we should include it.
Fri, Nov 1
I can confirm I can access logstash now, so I'm going to close this task as resolved.
Tue, Oct 29
Interesting. I guess I naively would have assumed workers follow the usually JS loading, where it can execute cross domain but can't read.
Mon, Oct 28
Note: OutputPage will automatically add CSP headers to special pages if configured, so you don't have to do anything on your special page to opt in to CSP headers (e.g. As an example, you can see that CSP headers are sent on https://en.wikipedia.org/wiki/Special:BlankPage )
Note: It may be a totally valid solution to just get rid of teh $wgDebugRedirects feature.
Sun, Oct 27
Sat, Oct 26
I want to add that YouTube is not a random third party website in this case.
Fri, Oct 25
Thu, Oct 24
I feel like sql.php meets the requirements of this feature request
Thu, Oct 17
Hmm, looks like it was removed in 2a806d04290da7
Wed, Oct 16
One minor thing to note, that sometimes this description is used to run stats on how popular different upload methods are. However, that would be a silly reason to keep it the way it is. I've always been kind of annoyed by the lack of descriptive description.
Looking at puppet, it looks like we already have some customization in modules/mailman/files/templates/* - so at first glance, I assume we could just add an article.html. Unfortunately, it looks like we can't modify the <pre> tag as that's added outside the template (And CSS has no direction:auto attribute). In theory we could add a U+2068 FIRST-STRONG ISOLATE, but I think a better approach would be to just add a new surrounding div.
Tue, Oct 15
Mon, Oct 14
If this is going to be merged in other discourse, i wouldnt worry about it (unless the other discourse has same problem).
Some standard advice for people experiencing this issue might be (not VE/parsoid specific, but for curl error 7 in general):
Oct 12 2019
Oct 11 2019
8 years after the fact, whatever this error was has been probably fixed, and if it hasnt there is not enough info to reproduce or do anything about it.
Oct 10 2019
Should be live now. Please let me know if that fixed the problem
Oct 9 2019
So to ne clear: this is about the iOS app edit and mobile edit tag?
*edit* i was reading the wrong section of the talk page. Please ignore this
The ability to differentiate a Wikimedia site (e.g. Wikipedia) from a third-party site running MediaWiki.
Oct 7 2019
Ok, so not exactly sure if the stablepages=only issue is what is being reported here or not, but that issue appears to be caused by d3259c2b7ca12d / 4eba7cf0f3e4, which (Accidentally I assume) removed the FLAGGED_REVS constant, which dynamic page list was looking for to decide if to enable flagged revs integration
Oct 6 2019
I think what the user is reporting, is that in dynamicPageList extension, the stablepages=only parameter, which should exclude pages not managed by flagged revisions, is no longer working.
I still do not see how this problem is related to the patrolling code in the MediaWiki core code base itself if you can trigger that behavior already by writing the name of a template into a wiki page. Hence I'm removing MediaWiki-Patrolling.
Oct 5 2019
Yes, but when you visit the site it will get removed (in the interface). To put it another way, the / is used behind the scenes, but anything the user sees will not use the /.
Oct 4 2019
Oct 3 2019
Sep 22 2019
Sep 21 2019
To answer my own question, i did a quick test - Currently its 26751 bytes compressed. Super aggressive gzip (zopfli) could in theory bring that down to 25532 bytes for a saving of 1219 bytes. More sane would be brotli, which could bring down to 23763 bytes for a saving of 2988 bytes.
Interesting. Thanks for sharing this. I wonder if this is an area that would benefit from more aggressive compression. The data is cached from what i understand so it doesnt have to be compressed on the fly, and getting as much as possible in that initial window seems important