Hiii!
Didn't spot this email when sending my reply :)
I can already devise user-JS on wikipedia which could remote control the users' browser to surf to their homebanking site in an iframe.
I don't care about home banking. In this case the problem is wikipedia account integrity.
Now if XSS were allowed I could manipulate the iframe (fill in money amounts and guessed passwords, submit forms etc.). This is NOT allowed as the wikipedia JS cannot acces pages from arbitrary different domains.That's a good thing.
But you can fetch all user's wikipedia session details, and do nasty stuff. Like xmlrequests changing passwords, deleting pages and putting huge genitalia images on front pages. :)
Now with the reverse proxy we are not deactivating XSS entirely, we are just allowing remote controlled access to pages on one single server: the toolserver (plus we enable XHR which is very useful).
That remote controlled access provides with session data of wikipedia users to any toolserver account.
I don't see how this would generate any exploitable security holes. But maybe I'm missing part of the picture?!
Yup, you are!