Could someone explain a couple of things for me?
The wording of the OP for the original bug[1] seems to say that there is some other global
css/js which he refers to as "My global JS" which is different than
Common.(js|css). Am I interpreting that correctly or are they the same thing???
Why would css/js of a site be considered insecure for the special pages like the login
page if the site is already considered trusted in general by the user? Is this a standard
security measure that all legit sites around the Internet use (forums/twitter/online
banking/etc.)?
Thanks,
Al
[1]
________________________________
From: Mark A. Hershberger <mah(a)nichework.com>
To: MediaWiki-l <mediawiki-l(a)lists.wikimedia.org>
Sent: Thursday, November 6, 2014 7:58 AM
Subject: [MediaWiki-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on
Special:Login and Special:Preferences
TL;DR: Should we merge
https://gerrit.wikimedia.org/r/#/c/165979/ and
release it with MediaWiki 1.24?
A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to
customize the appearance of their site.
In a recent security release[1], support for JS and CSS with on-wiki
origins was removed from being displayed on the Special:Login and
Special:Preferences page.
Because of how the on-wiki MediaWiki:Common.* pages are used and the
access restrictions on them, I think it is reasonable to allow JS and
CSS from them while continuing to disallow individual's JS and CSS on
the Special:Preferences and Special:Login page.
Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow
site-wide styling back on those pages.
I'd like to merge this, but I want some input from the community and
security people before I do that.
Thanks,
Mark.
(Reply-to set to mediawiki-l.)
Footnotes:
[1]
https://bugzilla.wikimedia.org/70672
[2]
https://bugzilla.wikimedia.org/71621
[3]
https://gerrit.wikimedia.org/r/#/c/165979/
--
Mark A. Hershberger
NicheWork LLC
717-271-1084
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l