Change Details

**Steps to replicate the issue** (include links if applicable): * Get the [[https://www.mediawiki.org/wiki/Manual:User_rights|noratelimit]] right * Load more than 70 new thumbnails with unusual sizes in 30 seconds ([[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/InitialiseSettings.php#3061|renderfile-nonstandard]]) **What happens?**: 429 too many requests **What should have happened instead?**: Thumbnails would be expected to be loaded as you have noratelimit. **Other information** (browser name/version, screenshots, etc.): In Chromium I see that for requests to upload.wikimedia.org all the cookies that would identify me are only visible in developer tools when I click "show filtered out request cookies", so the thumbnails are loaded as if I'm an anon. I'm unsure how/where these cookies get filtered, but I think it's a good thing as I found this while trying to create an exploit. But it does mean my noratelimit can't be applied. If all this is correct, maybe the thumbnailing ratelimit should just be hardcoded instead of implemented as a configurable ratelimit?

**Steps to replicate the issue** (include links if applicable): * Get the [[https://www.mediawiki.org/wiki/Manual:User_rights|noratelimit]] right * Load more than 70 new thumbnails with unusual sizes in 30 seconds ([[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/InitialiseSettings.php#3061|renderfile-nonstandard]]) **What happens?**: 429 too many requests **What should have happened instead?**: Thumbnails would be expected to be loaded as you have noratelimit. **Other information** (browser name/version, screenshots, etc.): In Chromium I see that for requests to upload.wikimedia.org all the cookies that would identify me are only visible in developer tools when I click "show filtered out request cookies", so the thumbnails are loaded as if I'm an anon.

**Steps to replicate the issue** (include links if applicable): * Get the [[https://www.mediawiki.org/wiki/Manual:User_rights|noratelimit]] right * Load more than 70 new thumbnails with unusual sizes in 30 seconds ([[https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/refs/heads/master/wmf-config/InitialiseSettings.php#3061|renderfile-nonstandard]]) **What happens?**: 429 too many requests **What should have happened instead?**: Thumbnails would be expected to be loaded as you have noratelimit. **Other information** (browser name/version, screenshots, etc.): In Chromium I see that for requests to upload.wikimedia.org all the cookies that would identify me are only visible in developer tools when I click "show filtered out request cookies", so the thumbnails are loaded as if I'm an anon. I'm unsure how/where these cookies get filtered, but I think it's a good thing as I found this while trying to create an exploit. But it does mean my noratelimit can't be applied. If all this is correct, maybe the thumbnailing ratelimit should just be hardcoded instead of implemented as a configurable ratelimit?