On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott
<datzrott(a)alizeepathology.com> wrote:
> This seems completely reasonable to me. I'd merge is personally. Is there
> any reason not to?
It's fairly easy to inject javascript via css, so merging that patch
means an admin can run javascript on the login/preferences page, while
we specifically block javascript from Common.js, etc.
For me, I like knowing that when I login on a random wiki in our
cluster, a site admin can't have (maliciously or unintentionally) put
javascript on the login page to sniff my password. I'd prefer Kunal's
patch had a feature flag so we could disable this on WMF wikis, but
sites with robust auditing of their common.css can enable it.