TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and release it with MediaWiki 1.24?
A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to customize the appearance of their site.
In a recent security release[1], support for JS and CSS with on-wiki origins was removed from being displayed on the Special:Login and Special:Preferences page.
Because of how the on-wiki MediaWiki:Common.* pages are used and the access restrictions on them, I think it is reasonable to allow JS and CSS from them while continuing to disallow individual's JS and CSS on the Special:Preferences and Special:Login page.
Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow site-wide styling back on those pages.
I'd like to merge this, but I want some input from the community and security people before I do that.
Thanks,
Mark.
(Reply-to set to mediawiki-l.)
Footnotes: [1] https://bugzilla.wikimedia.org/70672
[2] https://bugzilla.wikimedia.org/71621
[3] https://gerrit.wikimedia.org/r/#/c/165979/
On 11/6/14 6:58 AM, Mark A. Hershberger wrote:
TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and release it with MediaWiki 1.24?
A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to customize the appearance of their site.
In a recent security release[1], support for JS and CSS with on-wiki origins was removed from being displayed on the Special:Login and Special:Preferences page.
To be clear, only CSS was removed. JS was already not allowed on Special:Login/Preferences.
Because of how the on-wiki MediaWiki:Common.* pages are used and the access restrictions on them, I think it is reasonable to allow JS and CSS from them while continuing to disallow individual's JS and CSS on the Special:Preferences and Special:Login page.
Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow site-wide styling back on those pages.
Right, the patch only re-adds site-wide CSS, not JS.
-- Legoktm
Could someone explain a couple of things for me?
The wording of the OP for the original bug[1] seems to say that there is some other global css/js which he refers to as "My global JS" which is different than Common.(js|css). Am I interpreting that correctly or are they the same thing???
Why would css/js of a site be considered insecure for the special pages like the login page if the site is already considered trusted in general by the user? Is this a standard security measure that all legit sites around the Internet use (forums/twitter/online banking/etc.)?
Thanks, Al
[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=68521
From: Mark A. Hershberger mah@nichework.com To: MediaWiki-l mediawiki-l@lists.wikimedia.org Sent: Thursday, November 6, 2014 7:58 AM Subject: [MediaWiki-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences
TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and release it with MediaWiki 1.24?
A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to customize the appearance of their site.
In a recent security release[1], support for JS and CSS with on-wiki origins was removed from being displayed on the Special:Login and Special:Preferences page.
Because of how the on-wiki MediaWiki:Common.* pages are used and the access restrictions on them, I think it is reasonable to allow JS and CSS from them while continuing to disallow individual's JS and CSS on the Special:Preferences and Special:Login page.
Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow site-wide styling back on those pages.
I'd like to merge this, but I want some input from the community and security people before I do that.
Thanks,
Mark.
(Reply-to set to mediawiki-l.)
Footnotes: [1] https://bugzilla.wikimedia.org/70672
[2] https://bugzilla.wikimedia.org/71621
[3] https://gerrit.wikimedia.org/r/#/c/165979/
-- Mark A. Hershberger NicheWork LLC 717-271-1084
MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Al alj62888@yahoo.com writes:
Why would css/js of a site be considered insecure for the special pages like the login page if the site is already considered trusted in general by the user?
Site-wide CSS/JS wouldn't normally be considered insecure. The original bug creator was talking about their own global CSS/JS which is loaded, if I understand correctly, via the Extension:GlobalCssJs[1] from meta.wikimedia.org[2].
Footnotes: [1] https://www.mediawiki.org/wiki/Extension:GlobalCssJs
[2] https://www.mediawiki.org/wiki/Help:Extension:GlobalCssJs
mediawiki-l@lists.wikimedia.org