Page MenuHomePhabricator

MediaWiki as OpenID server: make $wgOpenIDTrustRoot protocol-independent
Closed, InvalidPublic

Description

Details

Reference
bz57478

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:39 AM
bzimport set Reference to bz57478.

The question is, whether making it protocol-independent is really safe.

We are talking about the server-side implementation (MediaWiki as OpenID Server).

When the MediaWiki can be accessed via http: _and_ https: in the same way, then the consumer should trust one of them - not both, because the server could deliver different services, depending whether it is accessed via http or https.

So I changed my mind and think, that the $wgOpenIDTrustRoot value should _always_ reflect the actual way, a consumer has authenticated.

Closing as INVALID.