Many of you on the mailing list should be aware of the troubles that the style attribute brings to mobile [1,2] and the amount of hacks [3] that we have to introduce to work around them.
I still truly believe the only way we can resolve this is a long term rethink of how we approach custom styling on wiki. I have also heard from Chris Steipp that there are security implications with allowing inline styles which such a move would address.
I have submitted a patch [4] (mostly to share ideas and prompt discussion - before you pounce on it be aware I have -2ed it to allow discussion on whether there is a better way to do this - for instance it might be worthy of a new namespace, it might need more protection etc.. ).
All the patch does is allow Template:Foo to have an associated stylesheet Template:Foo.css which is included in pages that use it.
So if the San Francisco article uses templates Foo, Bar and Baz, a style tag will be constructed from the content of Template:Foo.css, Template:Bar.css and Template:Bar.css and inserted into the page. When the templates change the entire page San Francisco is changed and thus the new styling is applied.
This would reduce the need for css hacks in mobile and keep power in editors hands.
On the assumption that this patch makes it into core in some form that in future the mobile site can strip any style attributes from content and use the template css files instead and thus benefit from the ability to use media queries. This could be a long tedious process but I think it needs to be done.
Thanks in advance for your discussion and thoughts around this long standing issue! ~Jon
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style... [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=35704 [3] https://github.com/wikimedia/mediawiki-extensions-MobileFrontend/blob/master... [4] https://gerrit.wikimedia.org/r/68123
Just for the record, which security issues would this be fixing?
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Jun 11, 2013 at 8:39 PM, Jon Robson jdlrobson@gmail.com wrote:
Many of you on the mailing list should be aware of the troubles that the style attribute brings to mobile [1,2] and the amount of hacks [3] that we have to introduce to work around them.
I still truly believe the only way we can resolve this is a long term rethink of how we approach custom styling on wiki. I have also heard from Chris Steipp that there are security implications with allowing inline styles which such a move would address.
I have submitted a patch [4] (mostly to share ideas and prompt discussion - before you pounce on it be aware I have -2ed it to allow discussion on whether there is a better way to do this - for instance it might be worthy of a new namespace, it might need more protection etc.. ).
All the patch does is allow Template:Foo to have an associated stylesheet Template:Foo.css which is included in pages that use it.
So if the San Francisco article uses templates Foo, Bar and Baz, a style tag will be constructed from the content of Template:Foo.css, Template:Bar.css and Template:Bar.css and inserted into the page. When the templates change the entire page San Francisco is changed and thus the new styling is applied.
This would reduce the need for css hacks in mobile and keep power in editors hands.
On the assumption that this patch makes it into core in some form that in future the mobile site can strip any style attributes from content and use the template css files instead and thus benefit from the ability to use media queries. This could be a long tedious process but I think it needs to be done.
Thanks in advance for your discussion and thoughts around this long standing issue! ~Jon
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style... [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=35704 [3] https://github.com/wikimedia/mediawiki-extensions-MobileFrontend/blob/master... [4] https://gerrit.wikimedia.org/r/68123
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Not in its current form, but in the glorious future I dream about being able to set a content security policy that forbids all inline css and JavaScript. That would prevent most of the xss that are reported from being exploitable. On Jun 11, 2013 5:53 PM, "Tyler Romeo" tylerromeo@gmail.com wrote:
Just for the record, which security issues would this be fixing?
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Jun 11, 2013 at 8:39 PM, Jon Robson jdlrobson@gmail.com wrote:
Many of you on the mailing list should be aware of the troubles that the style attribute brings to mobile [1,2] and the amount of hacks [3] that we have to introduce to work around them.
I still truly believe the only way we can resolve this is a long term rethink of how we approach custom styling on wiki. I have also heard from Chris Steipp that there are security implications with allowing inline styles which such a move would address.
I have submitted a patch [4] (mostly to share ideas and prompt discussion - before you pounce on it be aware I have -2ed it to allow discussion on whether there is a better way to do this - for instance it might be worthy of a new namespace, it might need more protection etc.. ).
All the patch does is allow Template:Foo to have an associated stylesheet Template:Foo.css which is included in pages that use it.
So if the San Francisco article uses templates Foo, Bar and Baz, a style tag will be constructed from the content of Template:Foo.css, Template:Bar.css and Template:Bar.css and inserted into the page. When the templates change the entire page San Francisco is changed and thus the new styling is applied.
This would reduce the need for css hacks in mobile and keep power in editors hands.
On the assumption that this patch makes it into core in some form that in future the mobile site can strip any style attributes from content and use the template css files instead and thus benefit from the ability to use media queries. This could be a long tedious process but I think it needs to be done.
Thanks in advance for your discussion and thoughts around this long standing issue! ~Jon
[1]
https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style...
[2] https://bugzilla.wikimedia.org/show_bug.cgi?id=35704 [3]
https://github.com/wikimedia/mediawiki-extensions-MobileFrontend/blob/master...
[4] https://gerrit.wikimedia.org/r/68123
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Jun 11, 2013 at 11:11 PM, Chris Steipp csteipp@wikimedia.orgwrote:
Not in its current form, but in the glorious future I dream about being able to set a content security policy that forbids all inline css and JavaScript. That would prevent most of the xss that are reported from being exploitable.
Ah, I see. How I'd love to see that.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On 6/11/13, Jon Robson jdlrobson@gmail.com wrote:
Many of you on the mailing list should be aware of the troubles that the style attribute brings to mobile [1,2] and the amount of hacks [3] that we have to introduce to work around them.
I still truly believe the only way we can resolve this is a long term rethink of how we approach custom styling on wiki. I have also heard from Chris Steipp that there are security implications with allowing inline styles which such a move would address.
I have submitted a patch [4] (mostly to share ideas and prompt discussion - before you pounce on it be aware I have -2ed it to allow discussion on whether there is a better way to do this - for instance it might be worthy of a new namespace, it might need more protection etc.. ).
All the patch does is allow Template:Foo to have an associated stylesheet Template:Foo.css which is included in pages that use it.
So if the San Francisco article uses templates Foo, Bar and Baz, a style tag will be constructed from the content of Template:Foo.css, Template:Bar.css and Template:Bar.css and inserted into the page. When the templates change the entire page San Francisco is changed and thus the new styling is applied.
This would reduce the need for css hacks in mobile and keep power in editors hands.
On the assumption that this patch makes it into core in some form that in future the mobile site can strip any style attributes from content and use the template css files instead and thus benefit from the ability to use media queries. This could be a long tedious process but I think it needs to be done.
Thanks in advance for your discussion and thoughts around this long standing issue! ~Jon
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style... [2] https://bugzilla.wikimedia.org/show_bug.cgi?id=35704 [3] https://github.com/wikimedia/mediawiki-extensions-MobileFrontend/blob/master... [4] https://gerrit.wikimedia.org/r/68123
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I like the idea of this (for reasons that have nothing to do with mobile). It would be nice to have css associated with the content defined. I'm pretty sure wikis want things like this. Wikinews for example loads MediaWiki:Common.css/{{FULLPAGENAME}} basically on every page.
To be honest though, I'm unclear how this would fix things for mobile. Wouldn't folks just put their problematic inline styles into a stylesheet, and have them be just as problematic in the stylesheet? (Not overly following mobile development)
I still truly believe the only way we can resolve this is a long term rethink of how we approach custom styling on wiki. I have also heard from Chris Steipp that there are security implications with allowing inline styles which such a move would address.
I'm curious what those might be (Although I expect I won't find out...). I know your patch is a proof of concept, but in its current form, it introduces various security issues that don't exist before (arbitrary css allowed = XSS).
---
Now, to bikeshed (I assume you're expecting this, sending it to wikitech-l and all).
Personally, I would like the template namespace to not be special. Hence I would like this all to work for other namespaces. So if you create a fake template in your user space, you could do the css thing too. This suggests a "CSS" namespace where you can create pages like CSS:Template:Foo.
Alternatively we could have a css parser function where you put <css>foo {border: red }....</css>, and it gets applied to the current page, and everything that is transcluding it (Possibly with an option similar to <noinclude> where the syntax highlighted version of the tags contents is only shown on the original page and not on transcluded pages.). The downside is less clear a content/style separation, but its still quite a clear separation imo.
--bawolff
On Tue, Jun 11, 2013 at 8:39 PM, Jon Robson jdlrobson@gmail.com wrote:
All the patch does is allow Template:Foo to have an associated stylesheet Template:Foo.css which is included in pages that use it.
How would this handle something like https://en.wikipedia.org/wiki/Template:Colorbox ?
I think Template:Foo.css would be just a MediaWiki template, and there would be a way to forward some arguments to the CSS template.
On Wed, Jun 12, 2013 at 5:44 AM, Brad Jorsch bjorsch@wikimedia.org wrote:
On Tue, Jun 11, 2013 at 8:39 PM, Jon Robson jdlrobson@gmail.com wrote:
All the patch does is allow Template:Foo to have an associated stylesheet Template:Foo.css which is included in pages that use it.
How would this handle something like https://en.wikipedia.org/wiki/Template:Colorbox ?
-- Brad Jorsch Software Engineer Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 12/06/13 10:39, Jon Robson wrote:
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style...
[...]
I put my comments at the bottom of the RFC and on Gerrit.
-- Tim Starling
On 06/11/2013 05:39 PM, Jon Robson wrote:
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style...
I left some comments at the bottom of the RFC.
Gabriel
Firstly thank you so so much for all this constructive discussion.
I worry that I'm convoluting this discussion with my wish to deprecate the style attribute. It's a thing I would like to see but it is not the most important discussion to have on the short term in which the goal is to style things better on mobile.
As a result since this does not seem to be helping I have decided to create a new but related request for comment: https://www.mediawiki.org/w/index.php?title=Requests_for_comment/Allow_styli...
I realise there are various templates that will not work or be helped by this move (for instance the Colorbox template Brad asks about), but I think it is too early to worry about these templates. I would like to see the style attribute completely unused but ultimately this decision in future would be one made by the community/security needs. I see this as step 1 in a long but much needed journey.
I also realise there are security risks. I am aware this opens up the potential for vandalism but I'd hope that these would not happen often due to edits being restricted to admins.
Thanks again for your constructive comments so far and I really hope we can get some consensus and push this work forward. Please view the talk page to see the more actionable next steps. I look forward to us moving this forward...!
On Wed, Jun 12, 2013 at 10:01 AM, Gabriel Wicke gwicke@wikimedia.org wrote:
On 06/11/2013 05:39 PM, Jon Robson wrote:
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style...
I left some comments at the bottom of the RFC.
Gabriel
On 6/13/13, Jon Robson jdlrobson@gmail.com wrote:
Firstly thank you so so much for all this constructive discussion.
I worry that I'm convoluting this discussion with my wish to deprecate the style attribute. It's a thing I would like to see but it is not the most important discussion to have on the short term in which the goal is to style things better on mobile.
As a result since this does not seem to be helping I have decided to create a new but related request for comment: https://www.mediawiki.org/w/index.php?title=Requests_for_comment/Allow_styli...
I realise there are various templates that will not work or be helped by this move (for instance the Colorbox template Brad asks about), but I think it is too early to worry about these templates. I would like to see the style attribute completely unused but ultimately this decision in future would be one made by the community/security needs. I see this as step 1 in a long but much needed journey.
I also realise there are security risks. I am aware this opens up the potential for vandalism but I'd hope that these would not happen often due to edits being restricted to admins.
Thanks again for your constructive comments so far and I really hope we can get some consensus and push this work forward. Please view the talk page to see the more actionable next steps. I look forward to us moving this forward...!
On Wed, Jun 12, 2013 at 10:01 AM, Gabriel Wicke gwicke@wikimedia.org wrote:
On 06/11/2013 05:39 PM, Jon Robson wrote:
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Deprecating_inline_style...
I left some comments at the bottom of the RFC.
Gabriel
-- Jon Robson http://jonrobson.me.uk @rakugojon
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hi,
As a result since this does not seem to be helping I have decided to create a new but related request for comment: https://www.mediawiki.org/w/index.php?title=Requests_for_comment/Allow_styli...
That page doesn't exist.
I also realise there are security risks. I am aware this opens up the potential for vandalism but I'd hope that these would not happen often due to edits being restricted to admins.
That's an important point you forgot to mention in your original proposal. I assumed you wanted this to be editable by everyone :)
Personally I'd rather have it be safe, and usable by everyone. (Also I'd like a pony if its not too much trouble)
--bawolff
On Thu, Jun 13, 2013 at 2:57 PM, Brian Wolff bawolff@gmail.com wrote:
On 6/13/13, Jon Robson jdlrobson@gmail.com wrote:
As a result since this does not seem to be helping I have decided to create a new but related request for comment: https://www.mediawiki.org/w/index.php?title=Requests_for_comment/Allow_styli...
That page doesn't exist.
https://www.mediawiki.org/wiki/Requests_for_comment/Allow_styling_via_style_... seems to be the correct link.
I also realise there are security risks. I am aware this opens up the potential for vandalism but I'd hope that these would not happen often due to edits being restricted to admins.
That's an important point you forgot to mention in your original proposal. I assumed you wanted this to be editable by everyone :)
Personally I'd rather have it be safe, and usable by everyone.
I expect a vocal fraction of the enwiki community would agree with Brian on that, based on past experience.
Sorry link fail: https://www.mediawiki.org/wiki/Requests_for_comment/Allow_styling_via_style_...
On Thu, Jun 13, 2013 at 12:05 PM, Brad Jorsch bjorsch@wikimedia.org wrote:
On Thu, Jun 13, 2013 at 2:57 PM, Brian Wolff bawolff@gmail.com wrote:
On 6/13/13, Jon Robson jdlrobson@gmail.com wrote:
As a result since this does not seem to be helping I have decided to create a new but related request for comment: https://www.mediawiki.org/w/index.php?title=Requests_for_comment/Allow_styli...
That page doesn't exist.
https://www.mediawiki.org/wiki/Requests_for_comment/Allow_styling_via_style_... seems to be the correct link.
I also realise there are security risks. I am aware this opens up the potential for vandalism but I'd hope that these would not happen often due to edits being restricted to admins.
That's an important point you forgot to mention in your original proposal. I assumed you wanted this to be editable by everyone :)
Personally I'd rather have it be safe, and usable by everyone.
I expect a vocal fraction of the enwiki community would agree with Brian on that, based on past experience.
-- Brad Jorsch Software Engineer Wikimedia Foundation
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 06/13/2013 02:57 PM, Brian Wolff wrote:
That's an important point you forgot to mention in your original proposal. I assumed you wanted this to be editable by everyone :)
I think it should simply follow the permissions of the accompanying page. That way, people can develop templates in their userspace (it needs to provide for that if it's limited to certain namespaces). Little used templates are generally not protected, and the same should follow for the CSS. This does imply the sanitization needs to work.
Matt Flaschen
Thanks to Matt and Daniel for your input so far. I would really appreciate some more heads commenting/voting on this so it is possible to start building this...
Thanks in advance! Jon
https://mediawiki.org/wiki/Requests_for_comment/Allow_styling_in_templates
On Thu, Jun 13, 2013 at 2:05 PM, Matthew Flaschen mflaschen@wikimedia.org wrote:
On 06/13/2013 02:57 PM, Brian Wolff wrote:
That's an important point you forgot to mention in your original proposal. I assumed you wanted this to be editable by everyone :)
I think it should simply follow the permissions of the accompanying page. That way, people can develop templates in their userspace (it needs to provide for that if it's limited to certain namespaces). Little used templates are generally not protected, and the same should follow for the CSS. This does imply the sanitization needs to work.
Matt Flaschen
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-- Jon Robson http://jonrobson.me.uk @rakugojon
On Mon, Jun 17, 2013 at 10:35 AM, Jon Robson jdlrobson@gmail.com wrote:
Thanks to Matt and Daniel for your input so far. I would really appreciate some more heads commenting/voting on this so it is possible to start building this...
Hi Jon,
You probably want to make sure you link to it from the appropriate place here: http://www.mediawiki.org/wiki/Requests_for_comment
Otherwise, it might escape notice as the queue starts getting cleared out.
Rob
wikitech-l@lists.wikimedia.org