Hiii!
Didn't spot this email when sending my reply :)
I can already devise user-JS on wikipedia which could
remote
control the
users' browser to surf to their homebanking site in an iframe.
I don't care about home banking. In this case the problem is
wikipedia account integrity.
Now if XSS were allowed I could manipulate the iframe
(fill in
money amounts
and guessed passwords, submit forms etc.). This is NOT allowed as the
wikipedia JS cannot acces pages from arbitrary different
domains.That's a
good thing.
But you can fetch all user's wikipedia session details, and do nasty
stuff. Like xmlrequests changing passwords, deleting pages and
putting huge genitalia images on front pages. :)
Now with the reverse proxy we are not deactivating XSS
entirely, we
are just
allowing remote controlled access to pages on one single server: the
toolserver (plus we enable XHR which is very useful).
That remote controlled access provides with session data of wikipedia
users to any toolserver account.
I don't see how this would generate any
exploitable security holes.
But maybe
I'm missing part of the picture?!
Yup, you are!
--
Domas Mituzas --
http://dammit.lt/ -- [[user:midom]]