Allow creation of the EditToken through JavaScript
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	Nux
	Apr 8 2007, 8:41 PM

Description

I'd like to know if it would be possible to have the edit token available on any
page (not only when editing)? I know I could probably get this through AJAX
scripting but that's the the best way I think.

On Polish Wikipedia we have a script for reporting bugs and it currently uses
the Tool Server and a bot to add reports. If the edit token would be available,
the form created through JS could simply add a new section (submitting changes
with one click) and the bot would be used only to pass info about these changes
to an IRC channel (as it does now).

Version: unspecified
Severity: normal

Details

Reference: bz9532

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:41 PM

• bzimport added a project: MediaWiki-Page-editing.

• bzimport set Reference to bz9532.

• bzimport added a subscriber: Unknown Object (MLST).

Nux created this task.Apr 8 2007, 8:41 PM

robchur wrote:

This would likely interfere with caching, and would harm our ability to change
the token on the fly (automatic regeneration) and have things still work.

I recently had a similar needing. I did a 'fastdelete' script, avoiding to
confirm the deletion.
http://es.wikipedia.org/wiki/Usuario:Platonides/fastdelete.js

To have the EditToken available, it rememberes it (the edittoken is the same for
the session) at edits/deletes, on a cookie
http://es.wikipedia.org/wiki/Usuario:Platonides/StoreSettings.js

(In reply to comment #1)

This would likely interfere with caching, and would harm our ability to change
the token on the fly (automatic regeneration) and have things still work.

Caching - why? I thought it was generated once during each session.

robchur wrote:

(In reply to comment #3)

Caching - why? I thought it was generated once during each session.

As I said in comment 1, we might like to alter things so tokens are regenerated
more often. Tokens for different operations are also salted, and so can vary
according to the operation in question. Your browser will attempt to cache the
page, including the script.

The whole point of an edit token is to help prevent malicious form submission
hijacking; I'm not convinced that providing an edit token on every page via
JavaScript wouldn't partly defeat the purpose of it.

Just to document it:
The only token which is currently different is the rollback one, which is hashed
with the user you're reverting.

The editToken is also unrelated to the ___Token cookie, used for login.

robchur wrote:

(In reply to comment #5)

The only token which is currently different is the rollback one, which is hashed
with the user you're reverting.

That is incorrect.

Resolving as WORKSFORME. The edit token can be obtained from the API using AJAX, or scraped from the hidden form field if you happen to be on the edit form.

API URL: http://en.wikipedia.org/w/api.php?action=query&titles=Main_Page&prop=info&intoken=edit
(append &format=whatever to get a different format; for help, see http://en.wikipedia.org/w/api.php )

(See [[Wikipedia:WikiProject_User_scripts/Guide/Ajax]] for a tutorial on doing so with JavaScript.)

• mmodell changed the task status from Declined to Resolved by committing rPHDEP81dc55d04fec: Updated git submodules.Sep 7 2016, 10:17 PM

• mmodell added a commit: rPHDEP81dc55d04fec: Updated git submodules.

Argh, that's posting about Phacility's Phabricator instance but being treated as ours.

• mmodell removed a commit: rPHDEP81dc55d04fec: Updated git submodules.Sep 7 2016, 11:19 PM

Allow creation of the EditToken through JavaScriptClosed, DeclinedPublicActions

Description

Details

Event Timeline

Allow creation of the EditToken through JavaScript
Closed, DeclinedPublic
Actions