On Tue, May 27, 2014 at 10:10 PM, Matthew Flaschen mflaschen@wikimedia.orgwrote:
On 05/27/2014 10:52 PM, Brian Wolff wrote:
I specifically said bits.wikimedia.org and upload.wikimedia.org (and not
commons.wikimedia.org), neither of which host user JavaScript.
Matt Flaschen
Gadgets are on bits and they are user controlled. Ditto for mediawiki:common.js et al. (Unless you mean users as in non admins). I see no usecase from allowing from bits. If someone wants an extension asset they can upload it.
You're right, I was completely wrong about the user JavaScript. Actually, user scripts are on bits too. Conceivably, it could limit it to directories starting with static-..., but that starts getting complicated. It's probably safer to limit it to user-uploaded Commons files as you said.
It *should* be difficult to get javascript to run inside an image-- you would have to find an element that we allow that interprets javascript source. If anyone comes up with a way, I'd be very interested in hearing about it. If the javascript is already in an svg, then it's much easier to get it to execute.
But overall it's much safer to just not allow it, which is why we currently don't.
Matt Flaschen
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l