On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott datzrott@alizeepathology.com wrote:
This seems completely reasonable to me. I'd merge is personally. Is there any reason not to?
It's fairly easy to inject javascript via css, so merging that patch means an admin can run javascript on the login/preferences page, while we specifically block javascript from Common.js, etc.
For me, I like knowing that when I login on a random wiki in our cluster, a site admin can't have (maliciously or unintentionally) put javascript on the login page to sniff my password. I'd prefer Kunal's patch had a feature flag so we could disable this on WMF wikis, but sites with robust auditing of their common.css can enable it.