Last modified: 2014-01-13 17:18:32 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T59478, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 57478 - MediaWiki as OpenID server: make $wgOpenIDTrustRoot protocol-independent
MediaWiki as OpenID server: make $wgOpenIDTrustRoot protocol-independent
Status: RESOLVED INVALID
Product: MediaWiki extensions
Classification: Unclassified
OpenID (Other open bugs)
master
All All
: High normal (vote)
: ---
Assigned To: T. Gries
:
Depends on:
Blocks: 9604
  Show dependency treegraph
 
Reported: 2013-11-23 08:48 UTC by T. Gries
Modified: 2014-01-13 17:18 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Comment 1 T. Gries 2013-11-24 11:03:40 UTC
The question is, whether making it protocol-independent is really safe.

We are talking about the server-side implementation (MediaWiki as OpenID Server).

When the MediaWiki can be accessed via http: _and_ https: in the same way, then the consumer should trust one of them - not both, because the server could deliver different services, depending whether it is accessed via http or https.

So I changed my mind and think, that the $wgOpenIDTrustRoot value should _always_ reflect the actual way, a consumer has authenticated.

Closing as INVALID.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links