Page MenuHomePhabricator

JavaScript warnings shown at the top of JSON pages can be misleading
Closed, InvalidPublic

Description

After T76554, all JSON pages that are in the userspace are automatically protected so that only the user and sysops can edit it.

This is okay except the change also meant you get these warnings at the top of the JSON page:

Depending on what's using the JSON, these statements could be true, but in many cases they are not or are misleading, such as bot configuration pages like https://en.wikipedia.org/wiki/User:Community_Tech_bot/Popular_pages_config.json

I am not sure what a solution is here, I'm just creating this ticket following the request at T76554#4188287

Event Timeline

At the very least jswarning should go, but I think they should all go. There's nothing scary about JSON. @Bawolff might think differently though...

When I read the subject of the task, it seemed like an obvious bug that we should fix.

However, looking more closely at the warning text:

Code that you insert on this page could contain malicious content capable of compromising your account.
The code will be executed when previewing this page.
After saving, you have to bypass your browser's cache to see the changes.

This does not actually mention "JavaScript". This message seems very good, and would perfectly fit for both JS, CSS and JSON.

I would be in favour of keeping it. Any of these three do have the potential malicious use. Both JS and CSS are vulnerable to XSS (Cross-site scripting attacks). JSON is less obvious in its own right, given it isn't executable. But its use cases are almost exclusively to configure programs, which are executable. It is not unlikely that these programs will feature configuration variable that involve privacy-related user preferences that could opt-in or opt-out of certain behaviours of the program. It may also contain configuration variables that literally contain arbitrary urls or expressions.

Looking forward, this warning seems very appropiate. People should not blindly paste content into these kinds of configuration pages.

Will the code actually be executed when previewing the page though? I wouldn't think so. That is why I was suggesting that particular message be dropped.

Will the code actually be executed when previewing the page though? I wouldn't think so. That is why I was suggesting that particular message be dropped.

JSON is not itself executable code currently. However, once the infrastructure to consume and load these pages in MediaWiki exists, it is most likely that they will be previewable. I don't see why not.

I suppose we could make, for now, the preview part a separate messsage (e.g myconfig-warning-preview), and display that only on the JS and CSS pages for the time being.

I think there should be a separate message. It currently says "The code will be executed when previewing this page" (emphasis theirs, may be customized on enwiki). This is fine for JavaScript, because indeed it will be executed when previewing, but not so much for JSON. It'd be nice to have the flexibility to at least tone it down, with a "may be executed"? And also mention something about bots (which it is commonly used for), because they likely won't run it immediately, certainly not when previewing.

And what about "After saving, you have to bypass your browser's cache to see the changes" ? If this is ever true for JSON, it's surely a "you may have to". I suppose the same is true with JS, so we could just reword the current message.

This is because the English Wikipedia community have hacked in this warning to a place that MediaWiki does not put a banner, and they haven't updated it yet.

https://en.wikipedia.org/wiki/MediaWiki:Clearyourcache (which is a simple cache expiry notice by default) has a parser function hack blindly pulling in https://en.wikipedia.org/wiki/MediaWiki:Jswarning (which is not a standard warning) with scary (and over-blown) text in it.

These kind of issues aren't tracked on Phabricator, but should be taken up there.

Nice find! Indeed we can rework this. Is there a way to detect the content model? I don't see a magic word for it. I'll surely need to consult other admins, but I feel the wording should be different for JSON pages, if possible.

Nice find! Indeed we can rework this. Is there a way to detect the content model? I don't see a magic word for it. I'll surely need to consult other admins, but I feel the wording should be different for JSON pages, if possible.

There isn't; note that this is also being shown on CSS pages right now, and similarly doesn't quite apply exactly the same as for JS.

Vvjjkkii renamed this task from JavaScript warnings shown at the top of JSON pages can be misleading to 1fdaaaaaaa.Jul 1 2018, 1:11 AM
Vvjjkkii reopened this task as Open.
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from 1fdaaaaaaa to JavaScript warnings shown at the top of JSON pages can be misleading.Jul 1 2018, 3:50 PM
CommunityTechBot closed this task as Invalid.
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot added a subscriber: Aklapper.