I was testing out https://www.mediawiki.org/wiki/Special:VisualEditorSandbox and Google Chrome is throwing a warning:
The page at https://www.mediawiki.org/wiki/Special:VisualEditorSandbox displayed insecure content from http://upload.wikimedia.org/wikipedia/commons/4/42/Loading.gif.
I assume this is simply hard-coded somewhere? I haven't had a chance to look at the code very closely, but this should be a simple fix.
Version: 1.18.x
Severity: blocker
| Title | Reference | Author | Source Branch | Dest Branch | |
|---|---|---|---|---|---|
| [maintain-harbor] add pre-commit | repos/cloud/toolforge/maintain-harbor!17 | raymond-ndibe | pre-commit | main |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T36599 Special:UploadWizard loading insecure content from commons | |||
| Resolved | • brion | T35045 mediawiki.feedback module should not load icon from upload.wikimedia.org |
This icon is not a VisualEditor icon, it's part of the feedback system that the VisualEditorSandbox is using. It may need to be renamed/recategorized.
(In reply to comment #2)
This icon is not a VisualEditor icon, it's part of the feedback system that the
VisualEditorSandbox is using. It may need to be renamed/recategorized.
Eep, sorry about that. You're absolutely right, it's in MediaWiki core. I tracked it down to http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/resources/mediawiki/mediawiki.feedback.js?revision=106003&view=markup#l95.
This should be fixed before 1.19 release and backported if needed. We should not embed WMF resources in any MediaWiki core release.
r112169 does a quick protocol-relative switch, but still should be changed to include the actual icon locally.
r112172 does a proper fix, turning it into a locally-hosted .gif loaded via styles in the module.