Ori Livneh wrote:
The critical issue is *security*. Security is the reason the graph
extension is not enabled. Security is the reason why
interactive SVGs
are not enabled. Interactive visualizations have a programmatic element
that consists of code that executes in the user's browser.
Gergő Tisza wrote:
Security is a challenge but could be worked around via iframes.
Discussions as to the security of iframes are ongoing, such as
https://phabricator.wikimedia.org/T222807 and a number of others.
It is time to resolve this once and for all. How can we adjudicate this
question and say definitively that iframes mitigate the security risk of
running Javascript in the user's browser if certain specified requirements
are met?