[Labs-l] Full Text Reference Tool: Approved exposing of ip addresses to an external API

[Jeremy Baron]

HI,

On Thu, May 29, 2014 at 2:29 PM, Marc-André Pelletier
<mpelletier at wikimedia.org> wrote:
> On 05/29/2014 09:59 AM, Jake Orlowitz wrote:
>> If we have to run our own instance, will That allow us to share real ip
>> addresses?
>
> It will; as clients will connect to a web server that is under your
> administrative control.

Only if Jake doesn't use the proxy service?

>> Are there any approved exceptions where user ip addresses could be
>> exposed on Tool Labs (say, if WMF said it was ok)?  Would this be
>> technically possible?
>
> Ostensibly, yes -- that is there is no *prohibition* from doing so but
> the current setup makes it /technically/ difficult.

Is it possible that the proxy service could have a whitelist of tools
that should receive accurate remote IPs?

>> Is there some workaround here that I'm missing, or that would be much
>> simpler?
>
> It may be possible to have the client /itself/ report its IP to you with
> some javascript.
>
> http://stackoverflow.com/questions/391979/get-client-ip-using-just-javascript
>
> offers some suggestions on how to do so.  This is a little tricky but,
> with suitable user understanding should also be okay.  That said, most
> of those solutions include a third party for reliability so it has
> implications of its own.

Maybe better to use https://geoiplookup.wikimedia.org/ ? (which maybe
even would be cached locally already? it's now set to cache
client-side for 24 hrs)

Possible drawback (or benefit maybe) is that it would be IPv4 always
even if the connection to labs is IPv6.

I'm interested in learning why the IP is needed at all though. It
seems to me that doing it client-side may negate the original purpose
of sending it? i.e. it can now be spoofed trivially

Maybe we could work something out during the conference.

-Jeremy