It does if it's a pure proxy with no access
control because I could
say "Hey, Bryan load
http://commons.wikimedia.org/w/api.php?tsproxy=~evil/evil.js ".. and
you follow the link and evil js happily steals your session cookie and
begins to replace every image with goatse.
Then I should point out that this very thing is currently possible with this
link:
http://commons.wikimedia.org/wiki/Eurotunnel?withJS=User:Dschwen/evil.js%26…
Uhm, actually this wasn't supposed to work, but the security checks on the
withJS thingie are a little flaky. I'll fix this in a minute.
--
[[:en:User:Dschwen]]
[[:de:User:Dschwen]]
[[:fr:User:Dschwen]]
[[:commons:User:Dschwen]]