-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Gregory Maxwell wrote:
For a proxy to present no additional security holes over what we have today it would have to limited to only work on sysop approved URLs.
I'm got the impression from Domas that what we have today isn't considered very good... but can't make a hard-security improvement on it unless we disable JS editing by sysops, which would result in a substantial loss of functionality and development resources.
It seems to me that a proxy with a access control list would actually improve security since there would be a single point to look to see what external scripts can be imported... rather than trying to track down all the places in the site JS where it's being accomplished via scrip tag injection.
*nod*
What I think I'd like to see us move a little more towards is a model like that where we've got some concept of available JS-based plugins.
That can make management, maintenance, and user-level selection a lot easier than the haphazard 'add this <script=blah> command to your secret JS page' interface we have now; and the easier it is to see what's there the easier it's going to be to keep it secure.
- -- brion vibber (brion @ wikimedia.org)