T232563 Drop IE6 and IE7 basic compatibility and security support (original) (raw)
I propose to remove the security features which protect IE6 and IE7 users from cross-site scripting attacks, and to remove IE6 and IE7 from "basic" support in the compatibility table.
Usage of these browsers is now 0.1% for IE6 and 0.07% for IE7 according to the last 7 days of pageviews_hourly data in Turnilo. In 2011, @demon wrote of supporting IE6: "I remain convinced that it's worth it-- at least for security issues--as long as a browser retains at least 1% market share" (ref). That threshold has evidently been passed.
Dropping security support would not necessarily mean dropping "basic" support (which mostly means CSS and HTML for readers), since the definition of basic support does not include security. However, note that IE5 basic support was dropped in October 2011. Usage at the time was 0.47% of HTML requests according to archived page view data. So IE6 is now much rarer than was IE5 when we dropped support for it.
It's previously been said that popularity in China was stopping us from dropping IE6 support. IE6 is now only 0.02% of requests from China.
Denying user login for these browsers would prevent XSS attacks on privileged users.
Consequent changes:
- Drop WebRequest::checkUrlExtension() (T30235). This is the main rationale for this proposal since it is awkward to use with the REST API (T232556).
- Simplify Sanitizer::normalizeCss() (T57332)
Optionally:
- Replace IEContentAnalyzer with "X-Content-Type-Options: nosniff". IE8 retains content sniffing but introduces X-Content-Type-Options, but it would need to be sent for image requests, which we don't have full control over. We could use mod_headers in .htaccess, if available, and we could test for the header's presence in the installer. IEContentAnalyzer is a constant nuisance, as evidenced by gerrit 487527.
Related Changes in Gerrit:
Event Timeline
There are a very large number of changes, so older changes are hidden. Show Older Changes
Note: Without contentanalyzer, we probably can also support KML uploads.
@tstarling @Krinkle thanks to the both of you! What surprises me is that it seems the discussion on Commons at the beginning of this year (which was quite heated) and the resolving of T27707 as a result only a few months before this task was created happened, seemingly, completely independent from each other. Also, I'm surprised to see it actually is possible to drop support for dead browsers. We were lead to believe it was impossible.. Also see comments like the one from @revi : "I'm sure WMF will reject this. Don't waste your time. Bye."
It seems there is a severe disconnect between the community and the Phabricatorians/WMF. I don't really have a solution, we'd be happy to reach out but don't know how. You guys should know where our Village Pump is, but we don't hear very often from you. And a ticket like this one is essentially invisible for us. I just found this by accident, way after it was implemented.
Btw, in T27707 it was also found (which everyone here appears to have missed) that IE7 should still work.. on Vista. So that's pretty irrelevant, because most people would rather be found dead in a ditch than admit they're running Windows Vista. :-P
we don't hear very often from you.
If you wish to be informed in technical decisions happening within the movement, there are many methods to do so. One I would recommend all technically-minded volunteers subscribe to is Tech News. Which is published weekly to over 800 pages in over a dozen languages. Commons Village Pump included. This news was communicated on October 14th, a month ago.
I'm sorry you feel left out of the loop and I hope this advice proves fruitful for your continued involvement.
CKoerner, Aklapper, thanks. I still see room for improvement, perhaps something like a separate section in the newsletter for stuff that can still be commented on and hasn't been decided yet.
I'll reply to @AlexisJazz by private email.
I'd rather keep communication public, be it here or on a wiki discussion page. But as we're here.. In the email (if you want to share the whole mail I'll leave that to you) you call the discussion on Commons a waste of time and suggest we should have just filed an RFC. To this I say:
"YOU CAN FILE RFCs ON PHABRICATOR?"
You assume everyone knows everything. But how you work is a mystery for us. If Forrester had said I should file an RFC (and how), I would have! And well, I guess he *kinda* did: "You can file a technical RfC in Phabricator to stop checking for security vulnerabilities in uploaded files, but I would point out that there's no way we're dropping basic security controls like this, sorry."
So why in the name of all that's holy would I have bothered to figure out how to file a technical RfC? It would be ignored anyway!
You also comment on how impractical a local exception for Commons would be. You might be surprised to hear that I agree. It was absolutely ridiculous, but Forrester told us a technical RfC would be futile, so guess what? We go guerrilla and just make noise. Because there was nothing else we could do. And you can't deny: it worked. I would have preferred the civil solution, really. I literally asked "How to propose a change to the MediaWiki software?" and was basically told to bugger off. You really can't blame me, the Commons community or the drama on our noticeboards for this. This is entirely on you guys. We tried.
@AlexisJazz sorry about any frustration from the on-Commons discussion in January. It took some discussion of our own on Phabricator to decide what to do, both about the incorrect HTML security trigger and about the more general removal of obsolete checks, and communication wasn't and still isn't very consistent. Sometimes you get advice on-wiki that's based on the current general state of things, but the state of things changes -- we have indeed decided that the IE 6/7 content-type-sniffing vulnerability is no longer a serious security consideration, but in January we hadn't decided that yet so you were given advice based on the current state of the world.
The one thing I will say is that Commons is only one affected site; this is part of MediaWiki core and affects all sites. It would have been wise to drop a visible note early on to our most populous file-upload wiki's community when we started talking about this again a few weeks ago, though. Including it in Tech News was good, but we could probably do better about reaching users where they are.
If there's anything else concrete we can do for this particular case, please let us know.
As far as filing RfCs etc -- keep in mind that different wikis and areas of work have different "RfC" processes. Some are more ordered than others, some use the wikis, some use phab. (I'm pretty sure Commons has some kind of RfC process on-wiki?) I recommend if you're not sure where to start, don't worry about the process yet -- but *DO* file a task in Phabricator. Otherwise us techies will not easily be able to track it or tell what past discussion has already occurred, and getting something done becomes very unlikely unless it's independently raised later (as happened here).
If there's anything else concrete we can do for this particular case, please let us know.
Thank you. For this case, I think everything is fine now. I was just surprised to see how discussions about virtually the same subject took place without them being connected. It would perhaps have been more efficient if there had been a link. (T27707 contained plenty of relevant information)
As far as filing RfCs etc -- keep in mind that different wikis and areas of work have different "RfC" processes. Some are more ordered than others, some use the wikis, some use phab. (I'm pretty sure Commons has some kind of RfC process on-wiki?)
Yes, while https://commons.wikimedia.org/wiki/Commons:Requests_for_comment is abandoned, we use https://commons.wikimedia.org/wiki/Commons:Village_pump/Proposals for this purpose now.
I recommend if you're not sure where to start, don't worry about the process yet -- but *DO* file a task in Phabricator. Otherwise us techies will not easily be able to track it or tell what past discussion has already occurred, and getting something done becomes very unlikely unless it's independently raised later (as happened here).
Thank you, I will.
FYI, someone from a school has left a message of appreciation for you/us at https://meta.wikimedia.org/w/index.php?title=Tech&oldid=23354622#Thank_you_letter_from_me_and_my_former_school_for_the_outstanding_browser_compatibility%2E – Copying:
By 2013, most computers at our school were already on Windows 7, but we also had older computers that still ran Windows 2000 and XP, with Internet Explorer 6. On some days, the newer computers were reserved, so we had no choice but to use the old Windows XP and 2000 computers.
On the old computers, we could usually not install a more modern browser, I guess due to lack of system privileges. Few of the computers had Opera or Firefox installed, but most did not. Many sites were broken and difficult to browse in Internet Explorer 6, but Wikipedia worked like a charm!
I can only imagine how much effort must have gone into persisting support for a decade-old browser, and for that, I and my then class mates and teachers would like to thank you. It was worth it! You spared us lots of headache!
Obviously, supporting IE6 today would not be worth it and the TLS 1.2 requirement prevents it from connecting anyway. But thanks for keeping it up as long as you did. Your team did an outstanding work.