When watching a page, a toast appears with a message to confirm it has been
watched/unwatched successfully. This replaces the toast with a OOUI popup.
Bug: T249259
Change-Id: Ib1b8e31ce8e6fe271cb0d6e5fbaf80bc65360da1
In some cases CSS classes must be on the <html> element and not the
<body>. An example is the DarkMode extension. Due to how the stacking
context works, the CSS `invert()` filter must be on <html>. We can't use
JavaScript to apply the styles because there would be a brief delay
after page load before the JS runs, causing a flashing effect.
Bug: T241925
Change-Id: I4b994e081d9582801fe9d198efd68afc46a14703
Adds <link rel="preconnect"> for the first valid foreign or local file
repo, on pages containing images.
This is a hint to the browser that it should open a connection to the
other host (e.g. upload.wikimedia.org), if it doesn't have one
already. Doing so allows the connection setup to happen before page
parsing is complete, and should result in faster image loading,
especially on slow connections.
Bug: T123582
Change-Id: I2dcc14f05012570a3e41ed8c7064969a4cbfb6db
This is a collection of random bits from my local stashes. This patch
intentionally only touches comments, no code.
Notably:
* Use more specific string[] instead of array, if possible.
* Some comments mention "or null", but miss to list the type.
Change-Id: I712b28964f125c8e3dcb4e3fb993757a09f96644
For back-compat, keep 'user.tokens' as deprecated alias to 'user.options'
for one release cycle (to be removed in MW 1.36).
== user.options ==
As before, 'user.options' arrives immediately on every page view,
embedded in the HTML. It has an async dependency on 'user.defaults',
which is not downloaded until there is a known demand on
'user.options'. Once that arrives, the implementation closure
of 'user.options' will execute, and the module becomes 'ready'.
== user.options "empty" ==
Before this change, UserOptionsModule used isKnownEmpty to consider the
module "empty" for logged-out users (as well as for logged-in users that
haven't yet set any preferences).
This was a mistake. It is invalid in ResourceLoader to mark a module as
"empty" if that module has dependencies (see also T191596 and c3f200849).
This broke the state machine. The impact was minimal given that it is unlikely
for features to read keys from mw.user.options for logged-out users, which
if attempted would have simply returned null for all keys.
== New HTML ==
The user.options module is always embedded (never empty), and always
has a dependency on user.defaults.
== Cached HTML ==
The cached HTML for anons sets user.options's state to ready without
waiting for any dependency. Per the above, this was already causing
subtle bugs with mw.user.options.get() likely returning null for anons,
which was fairly innocent. For tokens a bottom value of null would be
problematic as the default for tokens must be "+\" instead. To make
sure that is available for cached page views, set this directly
in mediawiki.base.js. The cached HTML does contain an implement call for
'user.tokens' that contains the same defaults, but new code will not
be asking for or waiting for user.tokens, so that is unused.
Bug: T235457
Change-Id: I51e01d6fa604578cd2906337bde5a4760633c027
This internal variable was exported on all page views for all users
for use by jquery.tablesorter.
This feature has not used it since 2013 (commit 65f11938e8),
where it was migrated to use the mediawiki.language module instead.
Bug: T48496
Bug: T219340
Change-Id: I1c9b012d633ffd76a31be5822fd2f4f984e1fb5c
This adds methods to ParserOutput ::addExtraCSPStyleSrc,
::addExtraCSPDefaultSrc, and ::addExtraCSPScriptSrc, to easily
allow parser tags/functions to add additional CSP sources if their
tag needs it. Previously such an extension would need to use
and OutputPage hook. This is modeled on how addModules() works.
The immediate use case is for Kartographer (T240960), although
its expected that lots of extensions might do something like this,
especially extensions used outside of Wikimedia.
Change-Id: I24e5f0b4edff58025a0c2a3e1a9aa3f62eb7db7b
Previously this hook ran after the header was sent, so it was
very confusing why CSP adjustments were being ignored by it. This
was especially the case, as it is a very natural point to adjust
the CSP policy, as commonly it is used to adjust what modules are
loaded.
Bug: T246614
Change-Id: I38f8f43fdc1d9bbd2f9af04305aad7a370b107b6
The non-tidy parsing modes were deprecated in 1.32. Remove the
deprecated parse/parseInline methods which use them, as part of a
general clean up of nontidy parsing modes.
Bug: T198214
Change-Id: I04ea82dd20eac8b0ce07a8d0e6b0bf2c4b03dbe8
Inspired by wikiHow's RobotPolicy extension, which depends on the existence of OutputPage#getRobotPolicy, as the extension needs to know the current robot policy state.
Change-Id: I764f5584a9f04a6b66c53193e9118dd1a5248284
Scalar casts are still allowed (for now), because there's a huge amount
of false positives. Ditto for invalid array offsets.
Thoughts about the rest: luckily, many false positives with array offsets
have gone. Moreover, since *Internal issues are suppressed in the base
config, we can remove inline suppressions.
Unfortunately, there are a couple of new issues about array additions
with only false positives, because apparently they don't take
branches into account.
Change-Id: I5a3913c6e762f77bfdae55051a395fae95d1f841
This is to make it behave in a more object orientied way. The
goal is to make it be easier to allow extensions to mark certain
pages as requiring a different policy (For example, CodeEditor
extension uses a blob: url with a WebWorker. We don't want to
include that on the policy of every page, but allow the extension
to mark it as required whenever needed).
This commit does not change code behaviour in any way.
Change-Id: I4bf53dabb6e6c5446cea99a64db68b300cef2fd4
This reverts commit cb6a24d3c4. We were looking to find
violations other than the Gadgets extension in preparation for
removal of this feature. And... we have. And they're sufficiently
high-volume that it doesn't make sense to keep enabled until we've
fixed those.
Lower the detection severity back down until we've fixed these
new ones.
Bug: T235711
Change-Id: Ia3c047f76430584dcc49741ba2d7b7f7b2b89063
Now that we've all known violations we can safely enable this
in production. It was mainly held back because the Gadgets
extension violated it "by default" due to not checking targets
and letting core handle it. This has been fixed by f59eaacb4f72d8
in MobileFrontend and 2008def8063 in Gadgets.
Bug: T127268
Change-Id: I43aed5011f96160565f2dfc3422034d0e8fa95c4
This was previously hardcoded from three places: 1) Upon viewing EditPage,
2) Upon viewing SpecialCreateAccount, 3) For any url if the user is
logged-in (User::loadFromSession/isLoggedIn).
== User::loadFromSession
Performing cookie blocks from here created a circular dependency because
Block may need the user language for localisation, which is determined by
asking the User object. This was previously worked around by using a
DeferredUpdate (T180050, T226777). Moving this logic explicitly to the
end of the pre-send cycle in MediaWiki::preOutputCommit breaks the cycle.
This is also where other request-specific handling resides already.
== Limited effect on unregistered users
When an unregistered user performs an edit, and gets blocked,
the cookie block is not applied until they open built-in editor
or CreateAccount page. This makes it more likely for a user's
IP to change meanwhile. Either intentionally, or simply due to
IPs varying naturally (e.g. between mobile locations, or when
going on/off WiFi). By applying it throughout sessioned page
views for unregistered users, it is more likely to get set.
Similar to what was already done for logged-in users.
This commit also makes the intent of not caching EditPage and
SpecialCreateAccount explicit. This was previously implicit
through nothing having called setCdnMaxage() and/or due to
Session::persist being checked for by OutputPage::sendCacheControl.
Bug: T233594
Change-Id: Icf5a00f9b41d31bb6d4742c049feca0039d0c9d9
Phan can treat scalar types as non-interchangeable with
`scalar_implicit_cast` set to false. This patch fixes some of those
issues (which are in total >1000), namely the ones with alphabetic order
< includes/actions.
Change-Id: Ib1c6573ab899088bc319b9da9ceaffc850da3dbe
Methods that visibility was added to are; `addMeta()`, `addLink()`,
`setCanonicalUrl()`, `addScript()`, `getHeadItemsArray()`, `addParserOutput()`,
`getCacheVaryCookies()` and `haveCacheVaryCookies()`. Last but not lease, did
a few micro-optimizations to `addMeta()` and `addLink()`.
Change-Id: I94d037a5edc7131627724fd1d864000128077b0c
Reduces output by not needlessly performing a change client-side
for which we already know the result server-side.
Bug: T231168
Change-Id: I4b8749f976d04d24f85236ddd641c7a4c7f6c23a
Skin shouldn't be responsible for providing requested revisionId
nor if that revision is the current revision.
The OutputPage object has all required information (both the
currentRevisionID and the current Title object).
Change-Id: I2dbae4c6968a2b3b3cea3e09977e9579609b4cc5
