In T422587#11803881, @Krinkle wrote:

I think matching what our most sensitive sites use in production (en.wikipedia.org, uk.wikipedia.org, zh.wikipedia.org), what experts like Scott Helme recommend, and what privacy advocates like WebKit and Mozilla use as the strict default in their browser, should be good enough for our blogs.

In T417940#11641988, @ssingh wrote:

Hi @CKoerner_WMF: To clarify, this should cover all posts and the domain techblog should redirect to the diff equivalent in its entirety, is that correct?

This then would be similar to the work performed under T254367 as you mentioned, as both domains (techblog and diff) are under VIP. Can you please check that procedure with VIP and let us know if any help is required from our end? Thanks!

Hey @Krinkle do you think we need to have the Security folks take a look at this change? As you note we went through a decent amount of work to make Diff and the Foundation WordPress installs more secure. If I'm understanding you there's little risk here, but I want to be cautious.

After some planning and work we've decommissioned The Events Calendar plugin on Diff and have removed it from our environment.

After some planning and work we've decommissioned The Events Calendar plugin on Diff and have removed it from our environment.

Following the documentation provided by our hosting company I have configured the endpoint accordingly:

I hope folks acknowledge this and help to keep those up to date.

Resolving this task. The page has been updated (multiple times) since the original request and will continue to be updated. A phab task for perpetual ongoing work isn't very useful. If there are specific requests, staff can contact the folks responsible in Comms. For community folks, we've been keeping the slight more detailed org chart updated on Meta-wiki.

After talking to Jhsoby, I made an update to the module, thinking perhaps that it was making incorrect calls to generate the pins. That change seemed to work for a hot second. The next day I pulled the map up in a private window and in a window where I was logged in.

It appears that the reason I'm seeing the 403 error is because I'm accessing it directly via my browser. So that's expected behavior. A misunderstanding on my part (one of many, I'm sure).

Could I request assistance in verifying that we've properly addressed the user-agent policy requirements for Diff's oAuth implementation? It now returns a user agent in the header.

We have an update to the oAuth plugin for Diff on our dev instance. It now returns a user agent in the header.

Hmm, polylang does provide its own API.

I think this is happening because of the way translation works on Diff. Each language has its own set of categories/tags, which results in oddities like what is being described.

In T400119#11132283, @Vgutierrez wrote:

In T400119#11131904, @CKoerner_WMF wrote:

@Joe Could I ask for a two week exemption for diff.wikimedia.org until we have our next sprint with our devs? Right now folks can't log into the community blog to share their stories and updates and I won't have developer time until the second week of September.

@CKoerner_WMF we've added and applied an exemption for requests coming from diff.wikimedia.org backend. Please let us know the phabricator task you're using to track the fix on your side of things, thanks!

Confirming that this is an issue with our WordPress Mediawiki oAuth plugin not providing a user-agent in compliance with our policy. I have a sprint set up with our developers at Human Made roughly 2 weeks from now and will make this a priority fix.

@Joe Could I ask for a two week exemption for diff.wikimedia.org until we have our next sprint with our devs? Right now folks can't log into the community blog to share their stories and updates and I won't have developer time until the second week of September.

Thanks @Tgr. It sounds like I need to modify the oAuth WordPress plugin to send a unique user-agent. Correct?

In T400106#11038202, @TheDJ wrote:

I think this might be a Commons specific issue. If you disable gadgets with safemode=true, things seem to work fine. That would indicate that something is hooking into the link of the video button.

In T387075#10608522, @Shizhao wrote:

There is a workshop on this topic at W3C on 12 March 2025: https://www.w3.org/events/workshops/2025/authentic-web-workshop/

In T364479#10589307, @valerio.bozzolan wrote:

Small question. Has anybody including the kind @CKoerner_WMF already tried to contact WordPress VIP to get a cost estimation of this feature from them?

Image sources have been updated for the post.

In T344479#9849061, @Pppery wrote:

There are several sections on the meta org chart with just "TKTK". What does that mean?

Hello all, I have an update to share with you. Well, a few actually. Back in March we shared an update that the first high-level pages have been updated/created on Meta-wiki. I didn't share that update here so sorry if you missed it.

That's possible. I do test things as a user with the "contributor" role, but perhaps something changed or I wasn't as thorough. I'll test this again. Let's keep the task open.

Then, who is responsible for this? Are they aware?

Oh, and I can't forget this plugin developed by Sam that might be useful.

Mentioning T27854 as the oldest task I can find related to this task. This might even be a duplicate. ¯\_(ツ)_/¯

Yes, but you need a permission to do that (or it used to be). A regular user gets code deleted for security reasons and is (was?) not allowed to add an iframe.

That's possible. I do test things as a user with the "contributor" role, but perhaps something changed or I wasn't as thorough. I'll test this again. Let's keep the task open.

In T309101#9780997, @Theklan wrote:

I'd love it to be an oEmbed like YouTube, but that would take some MediaWiki and WordPress development. :)

That's exactly why the WMF should work on that, because there is some development. After two years there have been a total of ZERO effort on this, that is something needed if we want to be "the central repository of free knowledge". There's no way to be central if we can't use the videos directly and must relay on Youtube or Vimeo to have playable videos at social media or Wordpress.

Following up on this old task. My apologies. You can embed media from Commons on Diff. When editing an article, you can use the "Custom HTML" block and the <iframe> code from the "Use this File" link on a File: page on Commons. ie.

Diff CSP has been updated to allow loading of media from *.wikipedia.org (wikimedia.org was already in the list). Images from Wikipedia Preview are now working on Diff.

Log time to reply, apologies. I want to note this was fixed in WordPress core last year after being reported.

We've restricted access to the WP API on Diff with a recent update. Can someone please confirm if this issue is resolved according to the description?

Thanks for the head's up. I'll look into this for Diff. We recently tightened security settings across the site and it's probably due to those changes.

Yay! I received your response. You should now have an email from Diff at the new email address asking to reset your password!

In an overabundance of caution, I've messaged you via Special:Email and will reset the email once I confirm that this is a valid request. :)

This is a bug we're working on. It's related to some security changes we made to that site that is breaking calls to the WordPress API.

In T344479#9391878, @Novem_Linguae wrote:

Thanks Chris for that info and for your team's work on this. The Meta-Wiki presence project sounds like a great project that should improve community relations. Couple quick questions:

• Is there still a plan to update https://wikimediafoundation.org/role/staff-contractors/ (rather than just putting it all on-wiki, for example)?
• Approximate timeline for https://wikimediafoundation.org/role/staff-contractors/ to be updated? Two months maybe?

Thanks a lot. Looking forward to your feedback.

Hey everyone, sorry for the delay in responding—it took a bit for this task to make its way to our team. We are working on getting an updated staff listing and org structure as part of a larger project to overhaul the Foundation’s overall presence on Meta. The project, which is being led by the Movement Communications team (the team I’m on), is about building a better front door to the Foundation’s work. It’s based on a longstanding ask from community members for us to clean up our org structure as well as team and department pages (including staff listings) in a way that will better connect you all with the information, resources, and support you need from the Foundation. Take a look here to get a sense of what we’re working on.

I'm seeing other users leaving comments as well. I am resolving this issue given that T348111 is now resolved and our fix is working as intended!

This should be fixed permanently as of T348111. Apologies for the disruption of service.

Ok, I met with our developers earlier this week and now can confirm that this is holding. Resolving this issue as our plugin is working as intended.

After some light testing I think this may be related to another issue we're having on the site. We've implemented a change. Could you please try again and let me know if the site is agreeable for you?

We have our plugin in production. This should resolve the issue. I'm not going to resolve this until I can be sure, but adding a note here for transparency.

Since tags can be added by anyone they run the risk of being messy. :) It looks like someone inadvertently punched lines of text into the tag field. I've removed these and the autocomplete is working better.

Yeah, this is a frustrating situation. Our patch we deployed yesterday hit a snag, but we're addressing the issue and will have a solution eventually.

Thank you @Hurohukidaikon for the report! As mentioned in T345512, this is related to an issue with our translation/multilingual plugin. The site is working as intended now and the pages and posts are loading. If an issue comes up again, please let us know. For now, I'll consider this resolved.

I appreciate folks noticing and alerting us of these issues. There was a bug relating to the translation/multilingual plugin (Polylang) that was causing some issues with the site. See also T345582. We did the old 'turn it off and on again' fix and things are working as intended. I see new posts appearing on Planet Wikimedia as an example (https://en.planet.wikimedia.org)

Where is the code, especially the temporary fix? Maybe volunteers could help if they had access to the code.

This should be handled upstream in WordPress core. There is a task for it in their community and input there is welcome: https://core.trac.wordpress.org/ticket/44610

In doing some cleanup on the diff-blog board I'm revisiting this task. We did this for Diff back in May. For those with access: https://github.com/wpcomvip/wikimedia-blog-wikimedia-org/pull/230

A temporary fix is in place. I have a task on the list with our developers to have a more consistent fix, should be resolved in the next few months.

We have resolved the larger issue with plugins. They should now not be showing banners to non-Admins. Thanks again to @TheDJ for brining this to our attention. For posterity :) see the commit below.

May it be linked to the fact I have the same account on WordPress created separately?

According to T321160#8703886 this is resolved. I'm able to confirm and test as well. Big thanks to @Juandev for making us aware and to @Tgr for pinpointing the cause.

Hmm, looks like OAuth is not having a good day. If folks have an existing account they can request a password reset and login via the WordPress authentication at https://diff.wikimedia.org/wp-login.php

@Bennylin, I'm looking into this now. When you are translating a draft blog post, is the "duplicate" icon highlighted? https://diff.wikimedia.org/wp-content/uploads/2022/05/duplicate-icon.png

A welcome request @Bennylin. I have now added basa Jawa with the language code jv. You should be able to select it from the translation interface.

Thanks for flagging this @Bennylin. This is a bug in the calendar system that came about with a recent software update. We hope to have a patch in place in a few weeks. For the time being, notifications like this or an email to diff@wikimedia.org lets us know, and folks with the right permissions can publish events manually. I've done so for your event. Please reach out if you need to change anything.

We (The folks who help keep Diff running) have been thinking about this idea. Over the last two years we haven't seen much interest from community for creating such a board. Admittedly we as staff also haven't been able to dedicate the time it would take to setup and manage such a board. One set up the right way that would allow for the frequency and diversity of posts as we do now. (Also, the idea of an editorial board was from a different time and the organization has changed since then).

This has been done. We're using the new shiny schema and the message is no longer showing. I have a larger task with our development partners to hide these administrative messages from folks with the contributor role.

I'll have to dig into this one. It's not apparent to me why this is only happening to German and not all languages. The conjunction is a translated string ("und", "y", "et", etc.) so it should be breaking consistency across languages!