Brion Vibber wrote:
Dschwen wrote:
http://en.wikipedia.org/tools/~dschwen/wikiminiatlas/label/en_0_0_0 would fetch the content of http://tools.wikimedia.de/~dschwen/wikiminiatlas/label/en_0_0_0)?
Under NO circumstances will we ever do this, that's a serious security danger.
I fail to see how it would be a danger with a carefully selected set of forwards. We already have to trust the contributing admin users. Why would you categorically deny trust to another group of active developers: on the toolserver?
It greatly increases the vulnerability landscape, whereas I'd prefer to decrease it by tightening controls on site JavaScript.
I'd like to point out in response to a private message from Greg that I'm not averse to any specific tools involving a backend on the toolserver, but just to setting up a general proxying service, which feels fundamentally unsafe to me.
I'm sorry if I sounded overly harsh or dismissive.
-- brion vibber (brion @ wikimedia.org)