Remove the unused formatException method.
Test Plan (compare with and without this patch checked out):
* Add `.bla()` to resources/src/mediawiki.special/comparepages.less.
* View Special:ComparePages in a browser,
and check devtools, Network, and inspect load.php CSS response.
* View Main_Page, run `mw.loader.load('mediawiki.special')`
and check the devtools, Console, and find the native error.
Phan comment has to be removed after this change:
> includes/ResourceLoader/ResourceLoader.php:860
> UnusedPluginSuppression
> Plugin BuiltinSuppressionPlugin suppresses issue SecurityCheck-XSS
> on this line but this suppression is unused or suppressed elsewhere.
Bug: T116129
Change-Id: I6aa0c614964805f7cd9246aec3e2a0071a88ad22
* Remove references to IDatabase from preloadModuleInfo() and with
it the last reference to Rdbms in the ResourceLoader service
(progressing T32956).
* Simplify WikiModule::preloadTitleInfo() so that it doesn't need
an IDatabase object unless
1) there are non-zero WikiModule objects in the batch, and
2) there is a cache miss.
* Remove needless IDatabase parameters passed or mocked for this
method. Note that WikiModule already had `@group Database` set
since each WikiModule::getDB() is called and uses an unmocked
database. The mocked database was only injected to satisfy the
method signature.
Bug: T32956
Bug: T359522
Change-Id: I022f02d6e6bbae46c3258a7c07a1d6723506d8bc
Follows-up 7c2c016e46 (I086e275148), which placed getDebug
conditionals in several places but forgot this one.
Test Plan:
* View a stylesheet on load.php with debug=1.
E.g. open Main_Page, view-source, open the first `<link>` URL
in a new tab, and append `&debug=true`.
Change-Id: I002b27dc4961a00121aec7caee87496b9d74aed3
* Switch out raw Exceptions, mostly for InvalidArgumentExceptions.
* Fake exceptions triggered to give Monolog a backtrace are for
some reason "traditionally" RuntimeExceptions, instead, so we
continue to use that pattern in remaining locations.
* Just entirely give up on PostgresResultWrapper's resource vs. object mess.
* Drop now-unneeded false positive hits.
Change-Id: Id183ab60994cd9c6dc80401d4ce4de0ddf2b3da0
Migrate resourceloader.responseTime to statslib, with updated prom metric naming
of resourceloader_response_time_seconds
Bug: T355960
Change-Id: Ife98e9c0d4411b1f96bcb8055424f9c9cddb80f1
There are a couple of user options related classes already,
and the T321527 work on dynamic defaults is going to add
even more. Let's move them into a separate namespace
to make core a bit more organized.
Old name is kept as an alias for compatibility purposes.
Bug: T321527
Bug: T352284
Change-Id: I9822eb1553870b876d0b8a927e4e86c27d83bd52
These members where not used outsite of the constructor and should
really go away. The hook runner member is unused while the loadScript
one is only used within the constructor, so we can inline it.
Change-Id: I840306cc4683588ccd6d30a0ef8b3d8a4208615d
These are the same as taint-check's MediaWikiSecurityCheckPlugin.php.
The notable exception is methods in WebRequest that were previously
hardcoded as returning a safe value. This was a consequence of said
methods return safe types (e.g., int, bool). Instead of adding
taint-check annotations, add return typehints instead, which let
taint-check remove any taintedness.
Fix some taint-check issues that were previously not spotted or whose
suppressions were removed in other patches.
Also fix the following bugs spotted by phan thanks to the type hints:
- SpecialExport did not have explicit handling of null $depth, and just
returned 0 because null fails both the < and the > comparisons.
- Improve documentation of params and props in ProtectedPagesPager.
SpecialProtectedPages can pass null $namespace and $size.
- Remove unused parameter from SpecialProtectedPages::showOptions, of
which $ns and $size were not documented as nullable.
- Add FIXMEs in SpecialVersion about very inconsistent escaping.
Bug: T321806
Change-Id: I726f528856614c92329683a0ad8936a42e262748
The base phan config uses a file_exists check to determine whether to
use the namespaced class name, but it doesn't work when running against
core because MW_INSTALL_PATH isn't set. So specify the type in the local
config, and remove @phan-var annotations added in I6bbdbbe6.
Also use `::class` instead of string literals for classes.
Change-Id: I994a0ed32ea948253ed07ee3cc8868a0eaa6d8b9
Follows-up 7c2c016e46 (I086e275148). This separates the link from
the response such that when it gets copied elsewhere, hosted elsewhere,
saved offline, proxied, archived, or otherwise served from a different
place or with different content; the header is most likely naturally
not copied along.
This is based on upstream experience by the jQuery Team where e.g.
distributions of jQuery, or concatenations, etc would lead to
confusing errors or inability to see any source in the devtools.
In the Wikimedia community we two similar use cases:
1. people sometimes copy load.php responses to a wiki page, e.g.
as a way to "distribute" a ResoureLoader-built gadget or to
fork/debug some core code.
2. the Internet Archive stores copies of our responses, but doesn't
proactively download source map links.
For example, archiving
https://people.wikimedia.org/~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.html
results in:
> … /~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.html
> … /~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.min.js
> Archived at
> http://web.archive.org/web/20230905211332/https://people.wikimedia.org/~krinkle/wikimedia-minify-2.5.0-test-sourcemap/combine.html
Bug: T47514
Change-Id: I3e85c2afb107ce1185651ab038379e4abe87a445
Follows-up b2bd5d70df (Iad2f5189da33551b). We found no evidence.
of any cache poisoning. The bulk of the warnings from this line of
instrumentation ended up due to logic bugs in RL\ImageModule that
results in a consistently different version hash, which didn't cause
any corruption or poisoning. It merely caused a cache miss more often
than it theoretically needed, and has since been fixed on the task
in another commit.
What remains is simply version mismatches from outdated URLs
that RL automatically replaces with the correct versions, and we
already correctly shorten TTL to avoid any poisoning.
Bug: T321394
Change-Id: I03dcae070479a28ad795f4fda62f532c9c6ab45b
In the debugger of Firefox and Chrome, without any special debug mode,
you will be able to see the original unminified JavaScript source, and
to set breakpoints in it and step through it.
Main visible changes:
* Add a config variable controlling the generation of source map links,
off by default for now.
* For script responses, move errors to the bottom of the response. This
avoids disturbing the source map.
* mw.loader.impl() calls will have less whitespace in debug mode,
because minification is no longer done as a post-processing step on
these calls.
Details:
* Use an index map when multiple responses are requested. This requires
an update to the minify library.
* Add a boolean "sourcemap" query parameter which causes load.php to
deliver source map output instead of regular minified content.
* Bundle sources into the source map and use two kinds of fake URL if a
real debug URL is not available. "Open in new tab" on a fake URL is
not functional.
* In the source map mode, respond with 404 if the version is mismatched
or if the content type is unimplemented.
* Fix createLoaderURL() so that $extraQuery is not ignored when there
are conflicting context parameters, so that we can successfully
override the version. The source map version should match the
delivered content, not the requested version.
* Since minification with source map tracking can't use filter(),
add a new cache for module source maps and minification. Add hit rate
stats.
Also:
* Fix unnecessary array_map() in getCombinedVersion()
Bug: T47514
Change-Id: I086e275148fdcac89f67a2fa0466d0dc063a17af
* Have FileModule::getScript() always return an array with a filePath
or fakeFilePath, not a string. This allows source maps to be
constructed.
* Make the scripts returned from Module::buildContent() always be an
array. Module::getScript() may still return a string for b/c.
* In makeLoaderImplementScript(), interpret the new plainScripts array.
Factor out the package file normalization loop from
makeLoaderImplementScript().
* Fix missing base path in mediawiki.base.
* Improve relevant doc comments.
Bug: T47514
Change-Id: I392a8cce9a0febc707b6cb17412e3b723c9cc686
When I was testing for caching in RL, I realized file cache is
completely broken and mostly useless, specially for not taking into
account new query parameters and thinking basically all RL modules are
uncachable.
Let's just remove this.
Bug: T330576
Change-Id: I5b17bfc4c5543bd0e96e1099c87341ddf8fd6572
This is an intermediate step towards the linked bug, to help untangle
the performance impacts.
Bug: T343407
Change-Id: I086f173f811fb44683f4a67bf6bc415d7e27f593
The "nonce" CSP feature has been never been properly tested and is not
on track to be enabled at WMF or in MW by default. The use of
nonce-protected eval is not particularly meaningful. It is trivially
bypassed by mw.loader.implement, mw.loader.store, or importScript();
all of which allow any code to be executed directly, or to be stored
and loaded from a first-party origin.
The "nonce" feature is not required for the T208188 roadmap, and with
change I51b8535b2b21a3 there is now also a (small) performance reason
to keep this disabled long-term.
Until and unless there is a plan for enabling this particular aspect
of CSP, we might as well remove it so that we don't waste time our
time building abstraction layers and satisfying dependency injection
through many years for something that might never be used.
Note that this does not remove CSP support from ResourceLoader, and
does not take away from the future of enabling CSP in MediaWiki to
e.g. strictly block third-party scripts, or to require domains to
opt-in by site config or user pref (T208188).
Change-Id: I5a176c41a06a484a11e64bdacdc42b40811fe72e
It's awkward to construct a source map when the file contents is
modified after loading. Delivering deprecation warnings as JS code
seems like an odd convention anyway.
So, send the module deprecation warning as an additional parameter to
mediawiki.loader.implement().
Deprecation warnings are no longer displayed in only=scripts mode.
Remove deprecation tests from FileModuleTest since FileModule no longer
has any relevant deprecation code. Add tests to ModuleTest.
Deprecate Module::getDeprecationInformation().
Bug: T47514
Change-Id: I20938cf4ab78afc9a2d72fbd163a7c5f21755820
The only remaining references to the Xml:: versions of those methods are
in doc comments and in HISTORY.
Bug: T341779
Change-Id: I004a925f80ae23eff2c078c95b8caa8ccf64ffd2
These methods really belong in the Html class, not Xml. Leave behind
soft-deprecated Xml methods that forward to the Html ones, as well as a
class alias for HtmlJsCode (renamed from XmlJsCode).
Bug: T341779
Change-Id: I99a5f9de1411d4eb5ee30226b4e8ace3ea8b2c3b
Reuse the existing loop over modules to trim each module definition
Also remove a by-ref which is not used (was added in c0c221bf)
Change-Id: Ia3560694ccee4ce95607809d51097b3fd10d79aa
The conditional here was handling two different cases, exceptions
thrown with $errors, and versions out of sync.
Bug: T321394
Change-Id: I0b861dbac4d497c974244da7e9f444e3683e9032
The Hooks class contains deprecated functions and the whole class is
going to get removed, so remove the convenience function and inline the
code.
Bug: T335536
Change-Id: I8ef3468a64a0199996f26ef293543fcacdf2797f
Send a message to Logstash when this condition is reached.
It is expected that this happens for a portion of clients during the
5min after a deployment, such such use an informational message,
not a warning.
This level is already enabled in wmf-config for channel=resourceloader.
I'm adding this now as I'd like to rule out or confirm whether the
our own CDN caching plays a rule in the corruptions reported at
T321394. If so, we can dig deeper there. If not, then we're likely
looking at a problem relating to browser extensions, Wikipedia mirrors,
or user scripts; rather than something under our own control.
Bug: T321394
Change-Id: Iad2f5189da33551b59653c2a6783419d6ad955d0
Follows-up I992ccde79a59ad51c.
* Soften the test to only asserting that an exception is thrown,
the type isn't part of the API.
* Throw RuntimeException instead of MWException per T86704.
Bug: T86704
Bug: T328602
Change-Id: Ifaa5d659941d60789ca14f771648e5830bbef317
Confirm that load.php can respond for all registered modules without
errors (except private modules, which can't we don't serve there).
Bug: T47514
Change-Id: I44655b2c05529ae719d71622f57bfed8d632550e
* Document `$scripts` types in a list for clarity, and make the
end-to-end connection to what these are for in practice (especially
for debug mode, and for site/user scripts).
* Fix outdated `$styles` docs. This has changed long ago.
* Remove support for $messages array. This existed solely to pass
an empty value for cases where messages are not needed.
Change that to null instead.
Change-Id: I0c0ef94d830171a3dd8588de8c4a1f3d67607d41
Importing Less files from @wikimedia/codex-design-tokens/ doesn't work,
on purpose. Instead of letting these imports fail with a nondescript
"file not found" error that doesn't help the developer understand why it
didn't work, provide a descriptive error message that points them in the
right direction.
Bug: T328602
Change-Id: I992ccde79a59ad51c7ebfe3ac7548a6e531f4a59
This replaces the hacky wrapper files in
resources/src/mediawiki.less/mediawiki.skin.codex-design-tokens/ and
resources/src/medawiki.less/@wikimedia/codex-icons/dist/ with real
import path aliasing/remapping.
Bug: T328602
Change-Id: I2df266cde90d1b8dad8d1d1367b67001e2b2984d
