There is a slight difference in the ux if you're using pushState vs
actually going to the page, so I think it would be noticed. But agree, I
should probably have said "make it more difficult".
On Wed, Sep 30, 2015 at 9:50 AM, Daniel Friesen <daniel(a)nadir-seen-fire.com>
wrote:
Bug? There is nothing that can be fixed.
You just have to accept that as long as the login page is on the same
domain as site scripts, there is no way to stop those scripts from
controlling the login page.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
On 2015-09-30 9:33 AM, Tyler Romeo wrote:
Is there a bug filed for that?
On Sep 30, 2015 12:13, "Daniel Friesen" <daniel(a)nadir-seen-fire.com>
wrote:
> On 2015-09-30 8:48 AM, Chris Steipp wrote:
>> * We disable site and user .js on Special:UserLogin, so a malicious
admin
can't add password sniffing javascript to the
login page
Note that you can make use of pushState to render this protection moot
for anyone who clicks the login link instead of directly visiting
UserLogin page. Which is practically everyone.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l