[01:34:42] Reedy: https://gerrit.wikimedia.org/r/#/c/255283/1/includes/Block.php [17:18:16] csteipp: why couldn't we set an origin referer policy of "none"? [17:19:15] ori: I would like that. But then we're totally opaque for external sites, and Dario thinks believes there is a lot of benefits for other sites knowing how much traffic we send out. [17:21:07] yeah, that's not a bad argument [17:21:38] ori: If using LCStoreStaticArray, does rebuildLocalisationCache.php do actually anything? [17:21:41] ori: And with SNI, anyone observing the https connection of a user to us is already going to know the domain that they user is attempting, so leaking that on a subsequent http call seems worth the benefit. [17:21:51] Oh, to PHP files presumably, duh [17:22:19] csteipp: right. makes sense. [17:22:21] Reedy: yep [17:37:10] csteipp: we'd be leaking the full URL though, no? [17:42:06] paravoid: We're setting it to *not* leak the full url, which we do currently. We'll only pass the domain. [17:42:54] We currently leak the whole url to all https sites, that is [17:43:27] are we? [17:43:34] yep [17:43:43] we weren't initially, did we change that? [17:43:49] which phab task is this? [17:44:14] Maybe? T87276 [17:44:33] right [19:22:51] legoktm, I see you did some maintenance on UserDailyContribs - does that mean that there's a team still interested in it? [19:25:25] MaxSem: I did? Don't think so, pretty sure we undeployed it [19:26:32] Yeah, https://phabricator.wikimedia.org/T85984 undeployed [19:28:00] Oh, stuff like https://gerrit.wikimedia.org/r/#/c/245110/ is all automated [19:36:08] anomie: Can you refresh my memory-- if we need a session (e.g., captchas, logins) for anonymous users, but SessionBackend can't be setup for unauthenticated users, where do those sessions live? [19:37:20] csteipp: Session/SessionBackend can be setup for unauthenticated users. [19:38:13] (or else I screwed something up and need to fix it) [19:38:32] Looking at https://gerrit.wikimedia.org/r/#/c/243223/42/includes/session/SessionBackend.php line 110 [19:38:57] if (!$info->getUser()->isAuthenticated() ) ... throw exception [19:39:46] Maybe that's a different kind of User? Or I'm isAuthenticated() isn't what I'm thinking it means? [19:40:16] csteipp: It's a MediaWiki\Session\UserInfo. I should rename the method to getUserInfo(), perhaps. [19:41:38] As for isAuthenticated(), the intended meaning is whether we know that the UserInfo is really that user, or were we told that but can't trust it's true. For non-anons, it means that we checked the Token cookie or something equivalent; for anons, we always trust that an anon is an anon. [19:41:46] New name welcome. [19:42:09] verified? [19:43:23] Or maybe from the other direction, when do we need to have a UserInfo where the user hasn't been verfied? [19:45:59] csteipp: We have a UserInfo that isn't verified if the UserID/UserName cookie is set but the Token cookie is missing (i.e. the user didn't check "remember me" when logging in). [19:46:48] One of those OWASP things suggests that we still verify the UserID/UserName cookie matches the stored session data. [19:47:14] Yeah, we should. [19:47:56] a getUser() that doesn't return \User would be confusing...getUserInfo() sounds better [19:51:31] I just as an is*() function that returns integers [19:51:37] (and not 0/1 either!) :p [19:51:45] *I just saw [19:51:46] So what does it return? [19:51:50] 1 or 2. [19:51:51] lol [19:51:54] WTF [19:52:14] So you can't even check isFoo() for boolean :p [19:52:24] Since everything it returns == true :p [19:54:40] Roan ran away to cry at such silly code :p [20:15:34] csteipp: Made those renames in PS43.