On Tue, May 27, 2014 at 10:10 PM, Matthew Flaschen
<mflaschen(a)wikimedia.org>wrote;wrote:
On 05/27/2014 10:52 PM, Brian Wolff wrote:
I specifically said
bits.wikimedia.org and
upload.wikimedia.org (and not
commons.wikimedia.org), neither of which
host user JavaScript.
> Matt Flaschen
Gadgets are on bits and they are
user controlled. Ditto for
mediawiki:common.js et al. (Unless you mean users as in non admins).
I see no usecase from allowing from bits. If someone wants an extension
asset they can upload it.
You're right, I was completely wrong about the user JavaScript. Actually,
user scripts are on bits too. Conceivably, it could limit it to
directories starting with static-..., but that starts getting complicated.
It's probably safer to limit it to user-uploaded Commons files as you said.
It *should* be difficult to get javascript to run inside an image-- you
would have to find an element that we allow that interprets javascript
source. If anyone comes up with a way, I'd be very interested in hearing
about it. If the javascript is already in an svg, then it's much easier to
get it to execute.
But overall it's much safer to just not allow it, which is why we currently
don't.
Matt Flaschen
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l