Page MenuHomePhabricator
Create Task
Maniphest T42965

General-purpose HTTPS-friendly GeoIP solution
Closed, ResolvedPublic
Actions

Description

Bug 40714 was invalid, but I think this is a valid request although a low priority one: if the browser doesn't allow to load unsecure resources, the GeoIP lookup to freegeoip.net should be skipped or anyway the behaviour should degrade gracefully (or more gracefully than it currently does).
Of course chasing browsers is not an option but maybe someone will come up with a smart solution. The linked thread mentions HTTP 304 Not Modified responses which might give some some clue to ULS maybe?

Version: master
Severity: enhancement
URL: https://translatewiki.net/wiki/Thread:Support/HTTP_request_on_HTTPS_translatewiki.net

Details

Reference
bz40965

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 22 2014, 1:14 AM
bzimport added a project: UniversalLanguageSelector.
bzimport set Reference to bz40965.
Nemo_bis created this task.Oct 11 2012, 7:54 PM
Nikerabbit added a comment.Oct 12 2012, 7:08 PM

ULS is degrading gracefully. There is nothing we can do to support https in ULS unless someone sets up https service. We could just not make the requests at all when using https.

Platonides added a comment.Oct 12 2012, 7:29 PM

You are on an untrusted network, so you only login in https, but as the wiki then loads http://freegeoip.net/json/?callback=mw.uls.setGeo in http, the attacker replaces the answer and runs arbitrary javascript in your browser...

Nikerabbit added a comment.Oct 12 2012, 7:41 PM

External services are a security risk regardless of whether it is http or https.

Krinkle added a comment.Oct 13 2012, 6:32 AM

FYI: This request is blocked in Google Chrome by default when browsing translatewiki over HTTPS (as it should).

Platonides added a comment.Oct 13 2012, 12:05 PM

External services are a security risk regardless of whether it is http or
https.

Yes, but being in http additionally means it is also open to main-in-the-middle, attacks so it disables the https security (for an active attacker).

Nemo_bis added a comment.Nov 3 2012, 10:30 AM

See also gerrit change 31637

gerritbot added a comment.Apr 26 2013, 1:00 PM

Related URL: https://gerrit.wikimedia.org/r/60995 (Gerrit Change Ia18130890d09f86a93b5b61f7da7c48fcfa480c7)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL