Last modified: 2014-11-17 10:36:34 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T22298, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 20298 - Use CORS for cross domain login
Use CORS for cross domain login
Status: RESOLVED WONTFIX
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
unspecified
All All
: Normal enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
https://developer.mozilla.org/En/HTTP...
: patch, patch-reviewed
Depends on: 20814
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-18 13:12 UTC by Derk-Jan Hartman
Modified: 2014-11-17 10:36 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
patch for cross domain central auth (2.47 KB, patch)
2010-07-31 19:17 UTC, Derk-Jan Hartman 		Details
patch for cross domain central auth v2 (2.47 KB, patch)
2010-07-31 20:05 UTC, Derk-Jan Hartman 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Derk-Jan Hartman 2009-08-18 13:12:55 UTC 
See the example in the URL.  Implementing this would make it work for Safari and other browsers that have strict origin restrictions on cookies.
Comment 1 Roan Kattouw 2009-08-18 13:16:15 UTC 
Bug 20251 could also be fixed by implementing this.
Comment 2 Brion Vibber 2009-08-19 20:25:01 UTC 
The term "CORS" doesn't appear on the referenced page; can you maybe clarify? :)
Comment 3 Derk-Jan Hartman 2009-08-19 21:26:38 UTC 
Cross Origin Resource Sharing: http://www.w3.org/TR/access-control/
Comment 4 Roan Kattouw 2009-08-19 21:56:40 UTC 
(In reply to comment #2)
> The term "CORS" doesn't appear on the referenced page; can you maybe clarify?
> :)
> 

See also r54127
Comment 5 Derk-Jan Hartman 2010-07-31 19:17:15 UTC 
Created attachment 7607 [details]
patch for cross domain central auth

I have no testing environment for this, but I suppose this patch could do the trick.
Comment 6 Derk-Jan Hartman 2010-07-31 20:02:40 UTC 
We could also use wgCentralAuthAutoLoginWikis of course instead of wgCentralAuthCrossSiteDomains.. Not really sure on that one...
Comment 7 Derk-Jan Hartman 2010-07-31 20:05:04 UTC 
Created attachment 7608 [details]
patch for cross domain central auth v2

Corrected syntax error in the patch.
Comment 8 Bugmeister Bot 2011-08-19 19:13:00 UTC 
Unassigning default assignments. http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/54734
Comment 9 Rainer Rillke @commons.wikimedia 2011-12-17 21:56:55 UTC 
For me Internet Explorer 8 does not work properly, other users reported problems with Opera:

You are not logged in despite checking "globally login"-box when logging in de.wikipedia.org and then going to commons.wikimedia.org. But on en.wikipedia.org you are logged-in.

It is just confusing for the user if it is said "login sucessful" but it is actually not.
Comment 10 Roan Kattouw 2011-12-17 21:59:26 UTC 
(In reply to comment #9)
> For me Internet Explorer 8 does not work properly, other users reported
> problems with Opera:
> 
> You are not logged in despite checking "globally login"-box when logging in
> de.wikipedia.org and then going to commons.wikimedia.org. But on
> en.wikipedia.org you are logged-in.
> 
> It is just confusing for the user if it is said "login sucessful" but it is
> actually not.
Is this a problem with this patch, or a problem you're experiencing on the live site right now? If the latter, you're commenting on the wrong bug.
Comment 11 Roan Kattouw 2011-12-17 22:02:25 UTC 
(In reply to comment #10)
> Is this a problem with this patch, or a problem you're experiencing on the live
> site right now? If the latter, you're commenting on the wrong bug.
Never mind, I didn't read comment #0 properly. Strict origin restrictions on cookies break the auto login feature.
Comment 12 Roan Kattouw 2011-12-17 22:09:18 UTC 
(In reply to comment #5)
> Created attachment 7607 [details]
> patch for cross domain central auth
> 
> I have no testing environment for this, but I suppose this patch could do the
> trick.
Looks good to me. We have a similar CORS implementation in the API that suffers from caching issues, but since Special:Autologin isn't cached we should be good here.
Comment 13 Derk-Jan Hartman 2012-09-05 18:16:26 UTC 
What shall we do with this one then ? I had all but forgotten about it. I guess we might want to reuse some of the concepts added to the CORS Api implementation now. at least in terms of syntax for the config option ?
Comment 14 Derk-Jan Hartman 2012-09-05 19:33:37 UTC 
I think this is no longer useful. cookie accept rules have been so far tweaked now, that not even withCredentials will let you bypass. if you have don't accept from 3rd parties enabled (or safari's don't accept from unknown 3rd parties), the cookie information is simply ignored by the browsers.

On safari, when you have visited before, it works, but it works just as well with the cookies of the images, so no added benefit.
Comment 15 Derk-Jan Hartman 2013-05-23 20:12:00 UTC 
I'm closing this wontfix.

bug 46901 and specifically sul2 are now the focus to address the problem that this solution was attempting to solve.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links