Closed Bug 833914 Opened 11 years ago Closed 7 years ago

create nearly-empty bleach whitelist for subset of users

Categories

(developer.mozilla.org :: Security, defect)

Product:
developer.mozilla.org
Component:
Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: groovecoder, Unassigned)

References

Details

To help doc writers convert inline code examples to live samples, we should create a (nearly) empty bleach whitelist behind a waffle flag. Then put a subset of users into a group with that waffle flag activated. Those users will then see which inline examples break, and convert them to live samples.
I'd say make it totally empty, and see what breaks. That could be instructive to see what our end-game, nearly empty whitelist should have.

Even better, make the toggle switch to a constance-controlled whitelist that we can tweak on the fly without a push.

Another idea: Can waffle work from a cookie? Might be interesting to set or clear a cookie to let users opt-in or out from the new whitelist, even atop the super-user detect
Depends on: 834296
Depends on: 834297
Whiteboard: c=Security sp=3
Whiteboard: c=Security sp=3
This technique may have been useful in 2013, but today I don't think it will get us to the point where we can start reducing the current whitelist:

1) It requires per-page editing and visual inspection of the pages.  There are currently 52,000 English pages, so if it took a minute per page, we'd need over 860 man-hours to inspect all the pages.
2) Assuming that we fixed all the English pages, there's another 58,000 non-English translations that would be potentially broken.
3) MDN staff and volunteers haven't completed the conversion to live samples in the last 4 years, when the project was fresh. Now that the project is stale, it is much less likely that the remaining pages will be organically updated.

I think a better method going forward is:

1) Periodically create and publish a report of pages using a feature that we'd like to remove from the whitelist.
2) Encourage staff and contributors to remove that feature from the listed pages
3) When the English page count goes to zero, remove it from the bleach allowed list

I've added this new feature idea as bug 1328439.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.