On Thu, Jan 12, 2012 at 5:57 PM, Chad <innocentkiller(a)gmail.com> wrote:
On Thu, Jan 12, 2012 at 11:51 AM, Daniel Barrett
>> 8. Our MediaWiki:common.js stopped running on the login page. I
realize this was a security fix; it just took me by surprise. Fixed by
writing a custom extension using the hook UserLoginForm to inject the few
lines of JS we needed, and I'm evaluating other non-JS solutions for more
>This hasn't changed any time recently as far as I can tell...we've had
for quite awhile.
Thanks Chad. FYI, MediaWiki:common.js definitely runs on
1.17.1, the immediately previous release.
Hrm...I distinctly remember user's personal JS was disabled on that page.
I wonder if ResourceLoader by grouping the JS also ends up disabling it.
In either case, it is a security issue and there's not much we can do about
it right now.
You're both right. It's basically for ever that those special pages call
In 1.18 Happy-melon implemented something I think we should've had a long
ago, proper origin recognizition on a module/script level. So it is known
each module where it comes from and to what extend it should be trusted or
When rewriting security implementation from the basic
"OutputPage::disallowUserJs" to this more elaborate way (using ORIGIN
defined in the ResourceLoader class) it was probably (unconsciously?)
from just "JS by users", to "modules (js/css) by origin <= site"
matches user JS).
I'm not sure if that's how it happened, but that what I remember and it was