Like James, I'd be fine with having the allowlist on wiki.
I don't think it's a good idea to
remove the allowlist though. If you remove it, the upload-by-url feature might become a vector for an amplification DoS attack. As of today, upload_by_url can be used by any and all Commons users. With no allowlist, it'd be much easier to instruct our servers to request an excessive amount of data from a target server of your choice. This will (likely? didn't check) be restricted by our own rate limits on uploading, but the upload rate limits are virtually nonexistent for autopatrollers and above (which is a role reasonably easy to get; much easier than
+sysop, for example). I'm not sure if this kind of abuse is likely to happen.
However, I recall it given as an explanation when I wondered why the allowlist exists a few years ago. What do you think Taavi?
Martin Urbanec