Page MenuHomePhabricator

dbarratt (David Barratt)
Software Engineer, Anti-Harassment Tools

Projects (13)

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
May 30 2017, 9:17 PM (172 w, 6 d)
Availability
Available
IRC Nick
davidwbarratt
LDAP User
Dbarratt
MediaWiki User
DBarratt (WMF) [ Global Accounts ]

Recent Activity

Today

dbarratt closed T260601: Remove the static mock data from the popup and make a request to the API endpoint for dynamic mock data, a subtask of T260602: Complete the necessary reviews for the IP Info extension, as Invalid.
Tue, Sep 22, 3:47 PM · Anti-Harassment, IP Info
dbarratt closed T260601: Remove the static mock data from the popup and make a request to the API endpoint for dynamic mock data as Invalid.

This was completed as part of T260604

Tue, Sep 22, 3:46 PM · Anti-Harassment, IP Info
dbarratt claimed T260607: Deploy the IP Info extension to The Good Place.
Tue, Sep 22, 3:45 PM · Anti-Harassment (The Letter Song), IP Info
dbarratt moved T261651: CU 2.0: It isn't always possible to use the tools menu just with keyboard from Code Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Tue, Sep 22, 3:42 PM · MW-1.36-notes (1.36.0-wmf.11; 2020-09-29), Accessibility, Anti-Harassment (The Letter Song), CheckUser
dbarratt moved T260604: Display a popup with fixed mock data for an IP address on the specified page(s) from Code Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Tue, Sep 22, 3:42 PM · Anti-Harassment (The Letter Song), IP Info
dbarratt moved T260607: Deploy the IP Info extension to The Good Place from Ready to QA/Testing on the Anti-Harassment (The Letter Song) board.

When logged in, should see the popup on this page:
https://thegoodplace.wmflabs.org/index.php?title=Test&action=history

Tue, Sep 22, 3:37 PM · Anti-Harassment (The Letter Song), IP Info
dbarratt edited projects for T260607: Deploy the IP Info extension to The Good Place, added: Anti-Harassment (The Letter Song); removed Anti-Harassment.
Tue, Sep 22, 3:37 PM · Anti-Harassment (The Letter Song), IP Info
dbarratt moved T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address from In Progress to QA/Testing on the Anti-Harassment (The Letter Song) board.
Tue, Sep 22, 1:42 PM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info
dbarratt closed T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API, a subtask of T244287: Build the Vue.js search component network client, as Resolved.
Tue, Sep 22, 2:57 AM · Patch-For-Review, Readers-Web-Backlog (Kanbanana-2020-21-Q1), Vue.js (Vue.js-Search), Desktop Improvements
dbarratt closed T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API, a subtask of T229661: Core REST API in MediaWiki, as Resolved.
Tue, Sep 22, 2:57 AM · Platform Team Workboards (Initiatives), MediaWiki-REST-API, Platform Team Initiatives (MW REST API in PHP)
dbarratt closed T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API as Resolved.
Tue, Sep 22, 2:57 AM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)

Yesterday

dbarratt added a comment to T263424: Display a URL for an organization associated with an ASN in the IPInfo popup.

Without giving an example (and exposing my IP address) the hostname sometimes contains the IP address which would seem to be contradictory to the goals of IP masking. Alternatively, we could provide the top-level domain (TLD) of the host which I imagine would be sufficient?

Mon, Sep 21, 2:20 PM · IP Info, Anti-Harassment

Fri, Sep 18

dbarratt updated the task description for T263263: Access and use the MaxMind database for CheckUser.
Fri, Sep 18, 7:44 PM · Anti-Harassment, CheckUser, Tech-Product API Roadmap

Thu, Sep 17

dbarratt renamed T262963: Security Readiness Review For geoip2/geoip2 from Security review of geoip2/geoip2 to Security Readiness Review For geoip2/geoip2.
Thu, Sep 17, 6:34 PM · Security, secscrum, Security Readiness Reviews, Anti-Harassment, IP Info, MediaWiki-Vendor
dbarratt added a comment to T263075: Should the REST API return null/empty or should the property be missing?.

@Pchelolo Awesome! Thanks!

Thu, Sep 17, 3:08 PM · Documentation, Anti-Harassment, IP Info, Platform Engineering, MediaWiki-REST-API
dbarratt added a comment to T263075: Should the REST API return null/empty or should the property be missing?.

@Pchelolo related question, should nested objects be null or should their (scalar) properties be null?

Thu, Sep 17, 2:53 PM · Documentation, Anti-Harassment, IP Info, Platform Engineering, MediaWiki-REST-API
dbarratt moved T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address from Code Review to In Progress on the Anti-Harassment (The Letter Song) board.
Thu, Sep 17, 1:26 PM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info
dbarratt added a comment to T263075: Should the REST API return null/empty or should the property be missing?.

@Pchelolo That is super helpful, thank you so much!

Thu, Sep 17, 1:26 PM · Documentation, Anti-Harassment, IP Info, Platform Engineering, MediaWiki-REST-API

Wed, Sep 16

dbarratt updated the task description for T263075: Should the REST API return null/empty or should the property be missing?.
Wed, Sep 16, 11:36 PM · Documentation, Anti-Harassment, IP Info, Platform Engineering, MediaWiki-REST-API
dbarratt updated the task description for T263075: Should the REST API return null/empty or should the property be missing?.
Wed, Sep 16, 11:34 PM · Documentation, Anti-Harassment, IP Info, Platform Engineering, MediaWiki-REST-API
dbarratt created T263075: Should the REST API return null/empty or should the property be missing?.
Wed, Sep 16, 11:34 PM · Documentation, Anti-Harassment, IP Info, Platform Engineering, MediaWiki-REST-API
dbarratt added a comment to T262963: Security Readiness Review For geoip2/geoip2.

I had Alternatively, we could create a new web service in production that our extension could make a request to (from PHP). lingering in my brain when I made the packaging comment. Which was confusing on my part as I was doing a bit of a drive-by here.

Wed, Sep 16, 2:43 PM · Security, secscrum, Security Readiness Reviews, Anti-Harassment, IP Info, MediaWiki-Vendor

Tue, Sep 15

dbarratt added a comment to T260821: Performance review of IP Info extension.

I'm told that MaxMind has a new competitor, https://db-ip.com/ which makes their dataset available in MaxMind's mmdb format: https://db-ip.com/db/ which means that the related tooling and libraries work with it. It's probably worth looking into their T&C as well. The free version of that database is CC BY licensed: https://db-ip.com/db/ip-to-location That could be a great starting point.

Tue, Sep 15, 8:30 PM · Anti-Harassment, Performance-Team, IP Info
dbarratt updated the task description for T262963: Security Readiness Review For geoip2/geoip2.
Tue, Sep 15, 6:22 PM · Security, secscrum, Security Readiness Reviews, Anti-Harassment, IP Info, MediaWiki-Vendor
dbarratt created T262963: Security Readiness Review For geoip2/geoip2.
Tue, Sep 15, 6:21 PM · Security, secscrum, Security Readiness Reviews, Anti-Harassment, IP Info, MediaWiki-Vendor
dbarratt moved T261944: Show full reason in mobile block message drawer from Code Review to QA/Testing on the Anti-Harassment (The Letter Song) board.
Tue, Sep 15, 4:02 PM · MW-1.36-notes (1.36.0-wmf.10; 2020-09-22), MediaWiki-Blocks, Anti-Harassment (The Letter Song)

Mon, Sep 14

dbarratt added a comment to T262436: Deploy Special:Investigate to Spanish, Swedish and Italian wikipedias.

What do we want to do with this ticket?

Mon, Sep 14, 9:42 PM · Anti-Harassment (The Letter Song), CheckUser

Fri, Sep 11

dbarratt updated the task description for T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address.
Fri, Sep 11, 5:10 PM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info
dbarratt added a comment to T260821: Performance review of IP Info extension.

Since making an API that can return information about any IP address is probably out of the question, given that we shut down a service that did just that 4 years ago due to abuse.

Fri, Sep 11, 5:09 PM · Anti-Harassment, Performance-Team, IP Info

Thu, Sep 10

dbarratt updated the task description for T261639: System and Composite blocks don't always report correct anonymous value.
Thu, Sep 10, 2:52 PM · MediaWiki-User-management, MediaWiki-Blocks, Anti-Harassment

Wed, Sep 9

dbarratt added a comment to T245474: CORS not enabled for OAuth 2.0 .

@kamholz & @EvanProdromou this should work now, can you try again?

Wed, Sep 9, 6:20 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt closed T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis, a subtask of T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API, as Resolved.
Wed, Sep 9, 6:20 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt closed T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis as Resolved.
Wed, Sep 9, 6:20 PM · Wikimedia-Site-requests, Patch-For-Review, Platform Team Initiatives (MW REST API in PHP)
dbarratt closed T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis, a subtask of T245474: CORS not enabled for OAuth 2.0 , as Resolved.
Wed, Sep 9, 6:20 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt added a comment to T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis.

Added to the deployment schedule: https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20200909T1800

Wed, Sep 9, 5:30 PM · Wikimedia-Site-requests, Patch-For-Review, Platform Team Initiatives (MW REST API in PHP)
dbarratt added a comment to T262363: Creation of docker-compose.override.yml for Linux users.

This might be unfeasible, but could we modify the main docker-compose.yml to set the user for everyone? In other words, set it to the environment variables provided, if they aren't provided, use the default?

Wed, Sep 9, 3:33 PM · Release-Engineering-Team-TODO (2020-07-01 to 2020-09-30 (Q1)), User-kostajh, Release-Engineering-Team, Developer Productivity, User-brennen, MediaWiki-Docker
dbarratt added a comment to T262362: Add .env file creation to docker start command.

Why would the user set the environment variables and not set a LocalSettings.php ?

Wed, Sep 9, 3:29 PM · User-kostajh, Release-Engineering-Team, Developer Productivity, User-brennen, MediaWiki-Docker
dbarratt closed T253594: Tabs may not be valid YAML as Resolved.
Wed, Sep 9, 3:27 PM · MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Platform Team Workboards (External Code Reviews), MediaWiki-Docker, MediaWiki-General
dbarratt removed a parent task for T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API: T245474: CORS not enabled for OAuth 2.0 .
Wed, Sep 9, 2:51 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt removed a subtask for T245474: CORS not enabled for OAuth 2.0 : T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.
Wed, Sep 9, 2:51 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt added a parent task for T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis: T245474: CORS not enabled for OAuth 2.0 .
Wed, Sep 9, 2:51 PM · Wikimedia-Site-requests, Patch-For-Review, Platform Team Initiatives (MW REST API in PHP)
dbarratt added a subtask for T245474: CORS not enabled for OAuth 2.0 : T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis.
Wed, Sep 9, 2:51 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt created T262425: Enable $wgAllowCrossOrigin on all Wikimedia wikis.
Wed, Sep 9, 2:47 PM · Wikimedia-Site-requests, Patch-For-Review, Platform Team Initiatives (MW REST API in PHP)

Tue, Sep 8

dbarratt added a comment to T261053: REST API unnecessarily asks for CSRF tokens.

Fair, but it doesn't seem like a big cost. MediaWiki JS will presumably provide an abstraction just like it does for the action API tokens, and all other clients will use OAuth anyway as obtaining a session cookie is much more cumbersome and fragile for them.

Tue, Sep 8, 9:34 PM · Patch-For-Review, Platform Engineering, MediaWiki-REST-API
dbarratt added a comment to T245474: CORS not enabled for OAuth 2.0 .

Why is there a CORS request happening, anyway? I'm probably misremembering the OAuth2 flow but if the user is sent to the authorization dialog on the wiki, and that submits to a special page and that redirects to the rest API, that should be a same-domain request.

Tue, Sep 8, 9:32 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt added a comment to T261053: REST API unnecessarily asks for CSRF tokens.

OAuth does not rely on the browser to prevent an attack - the attack is prevented by the attacker not having any way to obtain the OAuth token.

Tue, Sep 8, 8:46 PM · Patch-For-Review, Platform Engineering, MediaWiki-REST-API
dbarratt updated subscribers of T245474: CORS not enabled for OAuth 2.0 .

Doesn't oauth2/access_token expect redirected form POSTs from the authorization dialog? That's not preflighted.

Tue, Sep 8, 8:33 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.

Apparently the Web team does their development on localhost or other domains, but make API calls to the production domains, so they are running into this problem.

Tue, Sep 8, 7:36 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt added a comment to T245474: CORS not enabled for OAuth 2.0 .

I don't think a preflight is necessarily a bug, it can be a feature. We've been talking about forcing a preflight on POST requests (like all other writable methods) by limiting the Content-Type being used on the request (See T126257) which would remove the need for CSRF tokens. As far as I can tell, the REST API only has routes that accept a non-standard Content-Type on a POST anyways.

Tue, Sep 8, 7:26 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt added a comment to T245474: CORS not enabled for OAuth 2.0 .

POST requests do not need to be preflighted, as long as the POST body is in some standard web format like application/x-www-form-urlencoded or multipart/form-data.

Tue, Sep 8, 7:24 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt closed T232692: Should MediaWiki stop storing sessions on the server? as Declined.
Tue, Sep 8, 7:21 PM · MediaWiki-Authentication-and-authorization
dbarratt moved T261178: Block modal on mobile: Create designs that include full reason from Needs Design to QA/Testing on the Anti-Harassment (The Letter Song) board.

Moving this forward, we can iterate if we'd like to improve it.

Tue, Sep 8, 3:17 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Anti-Harassment (The Letter Song), Mobile, Design, MediaWiki-Blocks
dbarratt added a comment to T261178: Block modal on mobile: Create designs that include full reason.

@Prtksxna What do you think? Do you like it exposing it on "See More" or should it scroll?

I don't think I understand the different between exposing and scrolling. Is what you're proposing different from what @Tchanders had demo'd during stand-up?

Tue, Sep 8, 2:57 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Anti-Harassment (The Letter Song), Mobile, Design, MediaWiki-Blocks

Sat, Sep 5

dbarratt added a comment to T245474: CORS not enabled for OAuth 2.0 .

Yeah, the OAuth 2.0 endpoints aren't authenticated.

This is not entirely true. They do include a client ID and a client secret in the payload, but not a Cookie header.

Sat, Sep 5, 8:13 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.
Sat, Sep 5, 2:58 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)

Fri, Sep 4

dbarratt added a comment to T245474: CORS not enabled for OAuth 2.0 .

I think the only thing that needs to happen is enabling $wgAllowCrossOrigin (assuming the request isn't authenticated)

Fri, Sep 4, 8:02 PM · Platform Team Initiatives (API Gateway), Platform Team Workboards (S&F Workboard), MediaWiki-extensions-OAuth
dbarratt added a comment to T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address.

We should probably define what fields we need and in what format they should take.

Do you mean which information we should return about the IP?

Fri, Sep 4, 6:46 PM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info
dbarratt added a comment to T235554: net::ERR_HTTP2_PROTOCOL_ERROR 200 on Docker MediaWiki hosted on Cloud VPS.

For Fed props just setting $wgDisableOutputCompression = true; seems to work around this issue for us

Fri, Sep 4, 3:50 PM · Anti-Harassment, Cloud-VPS
dbarratt moved T261178: Block modal on mobile: Create designs that include full reason from Code Review to Needs Design on the Anti-Harassment (The Letter Song) board.
Fri, Sep 4, 1:08 AM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Anti-Harassment (The Letter Song), Mobile, Design, MediaWiki-Blocks
dbarratt added a comment to T261178: Block modal on mobile: Create designs that include full reason.

I was thinking the reason would already be visable and the "See More" would just scroll the user upward with something like this:

window.scroll({
  top: 300, // Whatever the height of the space above the drawer is.
  behavior: 'smooth' // Works in modern browsers, ignored in older ones (afaik)
});

basically it would just smooth scroll the drawer to the top (or as high as it goes).

Fri, Sep 4, 1:08 AM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.9; 2020-09-15), Anti-Harassment (The Letter Song), Mobile, Design, MediaWiki-Blocks
dbarratt updated the task description for T260821: Performance review of IP Info extension.
Fri, Sep 4, 12:51 AM · Anti-Harassment, Performance-Team, IP Info

Wed, Sep 2

dbarratt added a comment to T260604: Display a popup with fixed mock data for an IP address on the specified page(s).

@Niharika Although we decided on Special:Investigate in the meeting, that page is complicated by the fact that it displays IP addresses of logged-in users. Displaying information for these IP addresses is more complicated, since they are not directly associated with a revision or log ID (the user name is instead; the IPs are discarded after 90 days). It might be confusing if we offer this feature only for anon IPs on Special:Investigate. Could we start with a different page that only displays IPs on anonymous editors, but still only make the feature available to checkusers to begin with?

Wed, Sep 2, 3:04 PM · Anti-Harassment (The Letter Song), IP Info
dbarratt added a comment to T194880: Allow the path to the vendor directory to be customized within MediaWiki.

Please explain why it matters for MediaWiki.

Wed, Sep 2, 3:00 PM · Patch-For-Review, MediaWiki-Vendor, Wikimedia-Hackathon-2018, MediaWiki-General, Composer
dbarratt added a comment to T261696: MW REST Framework support for authenticated CORS.

@Pchelolo That makes sense to me. This task should be resolved when T232176 is resolved correct? Assuming we make it configurable as described in T232176#6427076?

Wed, Sep 2, 2:43 PM · Platform Team Sprints Board (Sprint 3), Patch-For-Review, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt updated subscribers of T260604: Display a popup with fixed mock data for an IP address on the specified page(s).

@Prtksxna Could you add a mockup or a screenshot to this task? Thanks!

Wed, Sep 2, 1:29 AM · Anti-Harassment (The Letter Song), IP Info
dbarratt added a comment to T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address.

We should probably define what fields we need and in what format they should take.

Wed, Sep 2, 1:28 AM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info

Tue, Sep 1

dbarratt claimed T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address.
Tue, Sep 1, 3:55 PM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info
dbarratt moved T260603: Create an API endpoint that accepts a log id or revision id and returns mock data about the IP address from Ready to In Progress on the Anti-Harassment (The Letter Song) board.
Tue, Sep 1, 3:54 PM · Patch-For-Review, Anti-Harassment (The Letter Song), IP Info
dbarratt added a comment to T261696: MW REST Framework support for authenticated CORS.

I think this whole thing is trying to make an exception for a single client. I don't think this is a good idea. But I do understand if a wiki wanted to take the performance impact for all routes. I just don't see why a wiki would want to allow it on some routes, but not others. It implies that the routes they want to allow use are known, when they might not be. We'd have to add configuration to allow a wiki to specify which routes are allowed.

Tue, Sep 1, 3:38 PM · Platform Team Sprints Board (Sprint 3), Patch-For-Review, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.

I had an idea in T261696#6427063 that we should use Option 1 by default, but add a config variable to enable Option 3. Effectively a wiki could opt-into allowing cookie auth for cross-origin requests. This would be enabled on Meta, but disabled on all other wikis. This should fix @Pchelolo's dilemma while also limiting the performance impact.

Tue, Sep 1, 3:21 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt added a comment to T261696: MW REST Framework support for authenticated CORS.

Another idea, would be to allow Cookie Auth for all requests, but configure it per wiki. Basically Meta would allow such requests (by configuration) but all other wikis would not. Which I guess kind of makes sense conceptually. Meta is the "central" wiki for lots of things and should allow access all the time, but not the other way around.

Tue, Sep 1, 3:18 PM · Platform Team Sprints Board (Sprint 3), Patch-For-Review, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T261696: MW REST Framework support for authenticated CORS.

TLDR: It's been decided that by default REST API will set access-control-allow-credentials: false thus disallowing CORS requests with cookie authentication.

Tue, Sep 1, 3:16 PM · Platform Team Sprints Board (Sprint 3), Patch-For-Review, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T261758: CU 2.0: some unnecessary attributes included in the wikitext table.

I wonder if we should convert the table to wikitext on the server (with Parsoid PHP in core) before adding the attributes? That seems like it might be easier than ensuring they are all removed? 🤔

Tue, Sep 1, 2:31 PM · CheckUser, Anti-Harassment
dbarratt moved T261088: CU 2:0: GuidedTour highlighted row should have faded yellow from In Progress to Code Review on the Anti-Harassment (The Letter Song) board.
Tue, Sep 1, 1:26 AM · MW-1.36-notes (1.36.0-wmf.8; 2020-09-08), Anti-Harassment (The Letter Song), Design, CheckUser

Mon, Aug 31

dbarratt added a comment to T261646: CU 2.0: Cannot select text inside table.

I think this is because of the mousedown handler https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/620798/6/modules/ext.checkuser.investigate.tables.js#234

Mon, Aug 31, 10:36 PM · CheckUser, Anti-Harassment
dbarratt added a comment to T260605: Add IP Info extension to translatewiki.net.

This should happen automatically now that the repo has been created:
https://translatewiki.net/wiki/Translating:MediaWiki#Extensions

Mon, Aug 31, 10:14 PM · Anti-Harassment, IP Info
dbarratt updated the task description for T260821: Performance review of IP Info extension.
Mon, Aug 31, 9:17 PM · Anti-Harassment, Performance-Team, IP Info
dbarratt added a comment to T260821: Performance review of IP Info extension.

@Tchanders I added some clarity on which option we would be perusing and removed the questions. How does that look?

Mon, Aug 31, 9:16 PM · Anti-Harassment, Performance-Team, IP Info
dbarratt updated the task description for T260821: Performance review of IP Info extension.
Mon, Aug 31, 9:15 PM · Anti-Harassment, Performance-Team, IP Info
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.

@dbarratt is that your understanding as well? Do you want to amend your patch to support the revised proposal, or do you want me to take over? Alternatively, we can get your patch in as pure Option 1, and I'll do the revised proposal as a followup.

Mon, Aug 31, 6:54 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

@Tgr to clarify, if there is no Origin header on the request, we can assume that it's the same-origin (it might not be, but that's not different than what we are doing now). Effectively modern browsers benefit from the added privacy/security, older browsers do not.

Mon, Aug 31, 4:23 PM · Security, MediaWiki-Authentication-and-authorization, TechCom-RFC
dbarratt added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.
In T40417#6423925, @Tgr wrote:

Currently everyone can edit Wikipedia; with the change, people with certain browsers (possibly including the majority of certain countries, e.g. old IE versions are still very popular in China I believe) could not. That does not sound like an acceptable tradeoff for an (AIUI) mostly theoretical security hardening.

Mon, Aug 31, 4:17 PM · Security, MediaWiki-Authentication-and-authorization, TechCom-RFC
dbarratt added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.
In T40417#6423655, @Tgr wrote:

Not all browsers set Origin reliably on non-CORS requests.

Mon, Aug 31, 4:11 PM · Security, MediaWiki-Authentication-and-authorization, TechCom-RFC
dbarratt added a comment to T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.

Oh, what I have in mind is

protected Handler::needsCrossDomainAuthenticated() { return false; }

with developers overriding this. All the actual policy should be handled by the REST framework. Perhaps we'd want to the override slightly more elaborate to be able to limit the hosts beyond what the default allsowlist limits, TBD. The point is that developers will not be allowed to assign random CORS headers.

Mon, Aug 31, 3:24 PM · Patch-For-Review, Security-Team, Security, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.
In T40417#6423655, @Tgr wrote:

Not all browsers set Origin reliably on non-CORS requests.

Mon, Aug 31, 3:21 PM · Security, MediaWiki-Authentication-and-authorization, TechCom-RFC
dbarratt added a comment to T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.

Let's take another example, should I be able to use the Content Translation tool on English without getting an OAuth token to the wiki I'm translating too? Or should I blindly be able to edit the other wiki with the cookie I have?

Mon, Aug 31, 3:02 PM · Patch-For-Review, Security-Team, Security, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.

Thus, we get the best of two worlds - do not loose a ton of performance for the majority of requests, only for the select few when we need. I do not see anything preventing us from having different policies for different routes

Mon, Aug 31, 2:58 PM · Patch-For-Review, Security-Team, Security, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

As part of T232176 I realized that a simple way to fix this problem is by rejecting write (POST) requests from users who 1) do not have a matching Origin to the allowlist and 2) are not logged in.

Mon, Aug 31, 2:43 PM · Security, MediaWiki-Authentication-and-authorization, TechCom-RFC
dbarratt added a comment to T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.

Welp, given all that, I would either use OAuth (when you need to make authenticated requests, ask the user to authenticate to Meta) or see if T232176 can be resolved in a different direction. I don't have an opinion on cross-origin cookie requests, other than it should be limited to the existing allowlist. It does present some performance concerns (i.e. Vary: Origin) that I don't have a very good solution for.

Mon, Aug 31, 2:26 PM · Patch-For-Review, Security-Team, Security, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)

Sun, Aug 30

dbarratt committed rRITNa2085607c964: 2.0.3 (authored by dbarratt).
2.0.3
Sun, Aug 30, 2:06 AM
dbarratt committed rRITNfa71a58ac8d9: Dependency Upgrades (authored by dbarratt).
Dependency Upgrades
Sun, Aug 30, 2:06 AM
dbarratt committed rRITN1ff6461e87a2: Set the npm tag prefix to an empty string (authored by dbarratt).
Set the npm tag prefix to an empty string
Sun, Aug 30, 2:06 AM
dbarratt committed rRITN3acb0775d8fd: Make functions named functions for easier debugging (authored by dbarratt).
Make functions named functions for easier debugging
Sun, Aug 30, 2:06 AM
dbarratt added a comment to T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.

And another idea! You could do something similar to MediaWiki-extensions-CentralAuth and access another database in the cluster directly (I'm assuming the wiki is in the production cluster).

Sun, Aug 30, 12:43 AM · Patch-For-Review, Security-Team, Security, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
dbarratt added a comment to T261358: Review CORS strategy for WikimediaApiPortalOAuth extension.

Another thought I had... would it be possible to deploy your extension onto Meta and use it there instead of a new wiki? Alternatively, would it be possible to move the OAuth central wiki to this new wiki?

Sun, Aug 30, 12:41 AM · Patch-For-Review, Security-Team, Security, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)

Sat, Aug 29

dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.
Sat, Aug 29, 11:51 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.

AH! I forgot that Access-Control-Allow-Credentials is a response header for simple requests (not just OPTIONS). This means we'd need to add Vary: Origin to all requests if we want to support Option 2 or Option 3. We could add a query parameter with the origin, which might save a little bit of cache variance, but I can't imagine it would be a ton.

Sat, Aug 29, 11:50 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.
Sat, Aug 29, 11:48 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt updated the task description for T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.
Sat, Aug 29, 11:46 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)
dbarratt added a comment to T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.

The patch I've submitted should do the trick. But please review. :)

Sat, Aug 29, 11:08 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.5; 2020-08-18), Platform Team Initiatives (MW REST API in PHP)