A late forward, but this is especially important for gadget authors.
-------- Forwarded Message --------
Subject: [Wikitech-l] Gadget usage of rollback, purge, and markpatrolled
Date: Wed, 29 Jun 2016 13:42:12 -0700
From: Aaron Schulz <aschulz4587(a)gmail.com>
Reply-To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>
To: wikitech-l(a)lists.wikimedia.org,
mediawiki-api-announce(a)lists.wikimedia.org
TL;DR: Gadgets should use HTTP POST for purge/rollback/markpatrolled
actions.
-------
Some gadgets still use HTTP GET for page purge requests.
In order to better facilitate multi-datacenter traffic routing [1] and to
better comply with web standards [2],
these types of requests should use POST instead. GET is considered, by
specification, to be a "safe method".
Since purge requests perform database writes and potentially significant
rendering updates, they should use a
state-changing HTTP method. Also, achieving of our multi-datacenter goal as
planned involves leveraging safe
HTTP methods to route request to either the closest or the primary
datacenter for optimal performance.
Most of such requests to MediaWiki already require POST, but "purge" is one
of the exceptions. There is no
compelling reason for this to be exceptional, however. Exposing a URL
parameter that does database writes,
reparsing, and cache updates simply by following a link (especial with no
CSRF token) encourages bad practice
(having links that bypass cache) and the risk of performance problems if
such a link becomes popular.
Rollback requests should also use HTTP POST given that it results in a page
edit. The database operations are
far more complex than purge, so in a multi-datacenter system, such requests
(if using HTTP GET) could have much worse performance depending on the
client's location (even if very close to a datacenter). Ideally, reversion
tools would use the
API for rollback, instead of index.php.
The markpatrolled action, like rollback, also involves a GET request with a
token parameter. The core JavaScript
MediaWiki provides already uses the API with POST, but users without
javascript (and some Gadgets) are still using
HTTP GET. The Gadgets should be converted to POST.
Purge, rollback, and markpatrolled support both POST and GET right now.
Gadgets still using GET for these actions
should be converted to use POST instead.
There is a task at T135170 [3] for MediaWiki to require POST for purge
requests.
Also see T88044 [4] for the same requirement for rollback requests.
[1]
https://phabricator.wikimedia.org/T92357
[2]
https://tools.ietf.org/html/rfc7231#section-4.2.1
[3]
https://phabricator.wikimedia.org/T135170
[4]
https://phabricator.wikimedia.org/T88044
--
-Aaron
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l