The "nonce" CSP feature has been never been properly tested and is not
on track to be enabled at WMF or in MW by default. The use of
nonce-protected eval is not particularly meaningful. It is trivially
bypassed by mw.loader.implement, mw.loader.store, or importScript();
all of which allow any code to be executed directly, or to be stored
and loaded from a first-party origin.
The "nonce" feature is not required for the T208188 roadmap, and with
change I51b8535b2b21a3 there is now also a (small) performance reason
to keep this disabled long-term.
Until and unless there is a plan for enabling this particular aspect
of CSP, we might as well remove it so that we don't waste time our
time building abstraction layers and satisfying dependency injection
through many years for something that might never be used.
Note that this does not remove CSP support from ResourceLoader, and
does not take away from the future of enabling CSP in MediaWiki to
e.g. strictly block third-party scripts, or to require domains to
opt-in by site config or user pref (T208188).
Change-Id: I5a176c41a06a484a11e64bdacdc42b40811fe72e
It's awkward to construct a source map when the file contents is
modified after loading. Delivering deprecation warnings as JS code
seems like an odd convention anyway.
So, send the module deprecation warning as an additional parameter to
mediawiki.loader.implement().
Deprecation warnings are no longer displayed in only=scripts mode.
Remove deprecation tests from FileModuleTest since FileModule no longer
has any relevant deprecation code. Add tests to ModuleTest.
Deprecate Module::getDeprecationInformation().
Bug: T47514
Change-Id: I20938cf4ab78afc9a2d72fbd163a7c5f21755820
Syntactical leftover with no significance in modern web.
Bug: T309150
Depends-On: I3a029ca950db42b938962b2452ad136ae8ddea6f
Depends-On: Id0557ac19583de36d7226b14a4c06933da47fe97
Depends-On: I17580a72e4a9384d7d774866e610197e950900cb
Change-Id: I4bbfa47fbf6e30fb90d920d6d02cdf6e0b1cdb46
This allows the body classes of skins to be customized for anonymous
users. Enable using $wgResourceLoaderClientPreferences = true;
* Only classes of the form <prefix>-(disabled|enabled)
can be toggled.
* For now no client side API is provided as this should not be
considered stable.
* Storage mechanism is cookie, stored under "mwclientprefs"
* Preferences apply to all skins. This means setting a preference
in Vector 2022 would also lead to class manipulation in Minerva.
This is by design to allow for skin-agnostic preferences. Up to
caller to make sure the class being manipulated is limited to the
skin if required ie. don't use generic classes.
* Avoids try/catch and JSON parsing by storaging as a string
* Places inline script before body tag before first stylesheet to
avoid breaking the article's ability to parse the article
concurrently with stylesheet download.
Usage:
Given a document with classes
"client-js vector-feature-limited-width-enabled ext-feature-enabled"
Set:
document.cookie = 'mwclientprefs=vector-feature-limited-width'
Will result in toggling off the limited width.
Bug: T321498
Change-Id: Ic3b6eec19953932c697ab5bf48c33a4ac1841b07
I consider it busywork to maintain this, for no tangible benefit.
Limiting the credited coverage to a class is limiting enough to
exclude unintended coverage from reports. Especially as this
helps ensure tracking coverage correctly for implementation details
such as helper methods and internal methods that do not warrant
their own test as that would defeat the purpose of tests exercising
the contract and demonstrating good usage.
Change-Id: Icf865f15cbd86585bbc02fc4943a960efb40c0eb
Move config defaults to ResourceLoader class, so that the defaults
reside within the component responsibility, and for future standalone
use and unit testing with the same set of defaults.
Bug: T32956
Change-Id: I4a268e11686e526c4377542d45e198a72e57f182
Move ResourceLoader classes to their own namespace. Strip the
"ResourceLoader" prefix from all except ResourceLoader itself.
Move the tests by analogy.
I used a namespace alias "RL" in some callers since RL\Module is less
ambiguous at the call site than just "Module".
I did not address DependencyStore which continues to have a non-standard
location and namespace.
Revert of a241d83e0a.
Bug: T308718
Change-Id: Id08a220e1d6085e2b33f3f6c9d0e3935a4204659
This reverts commit e08ea8ccb9.
Reason for revert: Breaks Phan in extensions, and as far as I’m aware,
this change isn’t urgently needed for anything, so the simplest fix is
to revert it again for now. After PHP 7.4 it should be safer to try this
again (we hopefully won’t need the two “hack” classes by then).
Bug: T308443
Change-Id: Iff3318cbf97a67f821f78e60da62a583f63e389e
Move ResourceLoader classes to their own namespace. Strip the
"ResourceLoader" prefix from all except ResourceLoader and
ResourceLoaderContext.
Move the tests by analogy.
I used a namespace alias "RL" in some callers since RL\Module is less
ambiguous at the call site than just "Module".
I did not address DependencyStore which continues to have a non-standard
location and namespace.
Change-Id: I92998ae6a82e0b935c13e02a183e7c324fa410a3
2022-05-16 14:41:27 +10:00
Renamed from tests/phpunit/includes/resourceloader/ResourceLoaderClientHtmlTest.php (Browse further)
