[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T122721

Add localhost to $wgCrossSiteAJAXdomains
Closed, DeclinedPublic
Actions

Description

Can CORS be allowed for sites hosted at localhost so tool developers using WMF's Mediawiki API can try their tools out when doing development at their local machine.

Similar: T22814, T62835, T122720.

Related Objects

Event Timeline

Kenrick95 created this task.Jan 1 2016, 2:13 PM
Kenrick95 raised the priority of this task from to Needs Triage.
Kenrick95 updated the task description. (Show Details)
Kenrick95 added a project: Wikimedia-Site-requests.
Kenrick95 added subscribers: Aklapper, Matanya, StudiesWorld and 2 others.
Krenair added a project: acl*security.Jan 2 2016, 9:17 PM
Krenair subscribed.
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 2 2016, 9:17 PM
Krenair renamed this task from Enable $wgCrossSiteAJAXdomains for sites hosted at localhost to Add localhost to $wgCrossSiteAJAXdomains.Jan 2 2016, 9:18 PM
Krenair set Security to None.
csteipp edited projects, added Security-Team; removed acl*security.Jan 12 2016, 10:30 PM
dpatrick subscribed.Jan 12 2016, 10:35 PM

@Kenrick95, the fix for T62835 should address this issue sufficiently, without the need to explicitly add "localhost" to $wgCrossSiteAJAXdomains. Do you have other information that leads you to believe that localhost needs to be explicitly listed?

Kenrick95 added a comment.Jan 13 2016, 11:31 AM

Since that task has no new comment since Nov 2015, I think it's better to allow "localhost" first before extending it to that task itself, i.e. solve smaller issue before solving a much larger issue.

Krenair moved this task from Backlog to External on the Wikimedia-Site-requests board.Jan 14 2016, 2:29 PM
Bawolff subscribed.Jan 19 2016, 9:55 PM

Honestly, I feel a bit iffy about this. I'm not sure if there would be any security badness from doing this, but it just feels "icky"

Maybe people who need this sort of thing, could just add something like

foo.wikipedia.org 127.0.0.1

To their /etc/hosts, and then test their thing using foo.wikipedia.org as the local web server.

Dereckson added subscribers: csteipp, Dereckson.Feb 10 2016, 9:46 PM

@Bawolff Not sure a DNS kludge is optimal. You can't change /etc/hosts on Chromebooks (ChromeOS mount this partition in read only mode) or on machines you are not root. But then, develop on a machine without root access isn't optimal, and we have recommendations for Vagrant.

@csteipp Do you see any risk (a rogue browser extension for example?) for a CORS rule including localhost?

Bawolff added a comment.Feb 11 2016, 2:31 AM

If you arent root you cant run a webserver on port 80 or 443, so this bug wouldnt help you.

csteipp closed this task as Declined.Feb 16 2016, 11:08 PM
csteipp claimed this task.

I think T62835: Enable cross-domain API requests in API's JSON responses will address the main use cases, and adding localhost does not seem like a wise thing to do. While I sympathize with making things easier for developers, I think this opens too much attack surface for the benefit.

Jdlrobson mentioned this in T212518: Add a search API configuration override.Jan 15 2019, 11:44 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits