Last modified: 2011-09-09 18:12:08 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T29968, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 27968 - JavaScript (geoip lookups) included via plain HTTP on HTTPS sites
JavaScript (geoip lookups) included via plain HTTP on HTTPS sites
Status: RESOLVED DUPLICATE of bug 30735
Product: MediaWiki extensions
Classification: Unclassified
CentralNotice (Other open bugs)
unspecified
All All
: Normal major with 1 vote (vote)
: ---
Assigned To: Ryan Lane
: fundraising
Depends on:
Blocks: ssl
  Show dependency treegraph
 
Reported: 2011-03-10 00:53 UTC by Marian
Modified: 2011-09-09 18:12 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Marian 2011-03-10 00:53:34 UTC
In the "secure" version of Wikipedia, there is a JavaScript embedded from http://geoiplookup.wikimedia.org. This makes the HTTPS somehow completely useless if the user has JavaScript enabled.
I understand that it is complicated to embed the images via HTTPS. But please fix at least that one here, as it really breaks the security (allowing an attacker to do anything), in contrast to the image thing (which only creates warnings and does allow an attacker to manipulate only the images).
Comment 1 Ryan Kaldari 2011-03-10 19:49:46 UTC
Will try to get this fixed next week.
Comment 2 Ryan Kaldari 2011-03-12 04:59:56 UTC
Filed RT ticket 657 with Ops to get a secure geoip lookup. Once that is done, fixing it in CentralNotice will be trivial.
Comment 3 Marian 2011-03-12 10:58:18 UTC
Thanks for the quick reaction! Do you have a link to that ticket?
Comment 4 Bawolff (Brian Wolff) 2011-03-12 18:23:42 UTC
RT tickets are private/secret I believe (for some reason I don't entirely understand)
Comment 5 Roan Kattouw 2011-03-13 11:42:46 UTC
(In reply to comment #4)
> RT tickets are private/secret I believe (for some reason I don't entirely
> understand)
They are restricted, yeah. I believe it's because of vendor info and such.
Comment 6 Mark A. Hershberger 2011-04-04 22:26:45 UTC
Ryan has this scheduled for completion before the annual fundraiser.
Comment 7 Ryan Kaldari 2011-04-04 22:47:27 UTC
Regardless of when it is scheduled to be fixed, it shouldn't be marked as low priority, IMO. The bug effects everyone using the secure site, regardless of whether there is a fundraiser going on or not. GeoIpLookups are currently done on every page view, even if no banners are running on the wiki. So this bug basically means that our secure site isn't actually secure. I've gotten lots of complaints about this issue from the community, so it should probably retain a high priority.
Comment 8 Ryan Kaldari 2011-04-04 22:53:41 UTC
If it's not likely that we'll have HTTPS geoiplookups for at least a few months, perhaps I should just turn off geoiplookup on the secure site in the meantime. Thoughts?
Comment 9 Sam Reed (reedy) 2011-04-04 22:56:33 UTC
Ryan is busy at the moment, but suggested there might be a quickish way to fix this.

The ideal fix is sorting the secure system once and for all, which the ops guys were suggesting as the mucho preferred option
Comment 10 Ryan Lane 2011-04-04 22:58:44 UTC
Is geoip lookup being used for anything right now?
Comment 11 Ryan Kaldari 2011-04-04 23:42:40 UTC
At the moment there are no CentralNotice campaigns running at all (which is a somewhat rare situation). There are some wiki-specific scripts that piggyback on the geoiplookup to do various types of "geonotices", but I'm not sure if any of those are running anything currently. So the short answer to your question is "Probably, but not for anything important." Thus my suggestion to turn it off completely for the secure site.
Comment 12 Aryeh Gregor (not reading bugmail, please e-mail directly) 2011-07-20 01:45:14 UTC
In Chrome 14 dev, when visiting https://test.wikipedia.org/, I receive a message bar at the top of every page: "Insecure script has been blocked."  There's a button that says "Load anyway (not recommended)".  So users of Chrome are going to be getting a warning on every page, and the script won't work for them.  Seems like it should be a blocker for broader HTTPS deployment.  (I don't know if non-dev channels have the warning, but if they don't, they presumably will within a matter of weeks.)
Comment 13 Roan Kattouw 2011-09-09 18:12:08 UTC

*** This bug has been marked as a duplicate of bug 30735 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links