On 9/4/07, Domas Mituzas midom.lists@gmail.com wrote:
Bryan,
XSS attacks are already possible by those who can edit the JS files by using the document.write('<script src=" trick.
That is: a) Available to sysops of particular project only
It would be easy enough to make the proxy functionality only work for specific URLs defined in a mediawiki message page. Tada: back to the same level of oversight and control that we already have.
Oh, and adding to Dschwen's initial point.. the code should remove any session cookie and replace it with a cookie indicating a confirmed username.
Again, this already happens.
How? When?
Any sysop can already insert scripts which call remote scripts which have ongoing communication by inserting script tags over and over again. It's kludgy but it works.
It's also possible to use an invisible iframe as a request proxy off to another domain: http://blog.monstuff.com/archives/000304.html
In terms of security profile adding a proxy wouldn't change anything.. but it would allow legitimate tool authors to avoid ugly kludges needed to work around the 'security behavior'.