Page MenuHomePhabricator

Non protocol relative links in banner shouldn't be allowed
Closed, DeclinedPublic

Description

It is common that users add to CentralNotice a banner with css that loads resource from http, which shows a warning for https users.

CentralNotice shouldn't allow non protocol relative URLs in css/images or at least show a noticeable warning.


Version: unspecified
Severity: minor

Details

Reference
bz62866

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:05 AM
bzimport set Reference to bz62866.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:05 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript

This is security issue. Local sysops aren't allowed to change banners in meta to fix it, and meta sysops don't check banner messages for violation of https.

This is definitely something that should happen. If policy (like we have with site css/js) isn't enough, then CentralNotice should probably try to enforce it.

Fundraising, is there someone on your side who can look into this?

Doesn't CentralNotice let admins do much more dangerous things, involving JavaScript? If so, I feel like this might be a WONTFIX in favour of user education. But I don't know enough about CentralNotice to do so myself.

This certainly doesn't seem like something that needs to be private, but I'll let FR move it.

Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 28 2014, 7:42 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Looking at the logs it looks like you'll want to reach out to https://meta.wikimedia.org/wiki/User:Itzike . For that particular banner you may run into an issue though because the site it links too doesn't have a legitimate https certificate :-/

I can somewhat be ok with an http 'link' (though I dislike it, and certainly wouldn't fight a rule against it) like this one, I'm much stronger in favor of disallowing anything that autoloads (an image in the banner for example) that isn't either protorel or https only.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 28 2014, 8:01 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

(the issue was with 'Gray-gradient1.png' image, not a link to http site) Thanks, I wrote Itzike about it, but I think it is a technical problem that should be solved by the extension, not a "educational problem" of users, as most of the users in https://meta.wikimedia.org/wiki/Meta:Central_notice_administrators aren't technically experts. Currently it is too easy to mistakenly break things.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 28 2014, 8:34 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

(the issue was with 'Gray-gradient1.png' image, not a link to http site) Thanks, I wrote Itzike about it, but I think it is a technical problem that should be solved by the extension, not a "educational problem" of users, as most of the users in https://meta.wikimedia.org/wiki/Meta:Central_notice_administrators aren't technically experts. Currently it is too easy to mistakenly break things.

Aye, I noticed that soon after I said it, when I looked (intending to fix it if it was an image) they were already protorel because Alex had already fixed it. Agree on the extension vs educational problem, though I think this may (unfortunately) end up being a deeper probably right now given how the html is consumed wholesale by the extension. That's an issue we want to fix as well though so can be folded in.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 28 2014, 9:11 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Also: I agree that this can be made public, anyone have an issue with that?

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 28 2014, 9:11 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 30 2014, 10:10 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Jalexander changed Security from Software security bug to None.Jan 9 2015, 10:01 PM

Given lack of opposition and own belief I have changed this to public.

Jalexander changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 9 2015, 10:12 PM
Jalexander changed the edit policy from "Custom Policy" to "All Users".

Now that weve moved https only, i vote we mark this wontfix. Any objections?

Pcoombe claimed this task.
Pcoombe subscribed.

@Bawolff Sounds good to me, done.