On 9/4/07, Domas Mituzas <midom.lists(a)gmail.com> wrote:
Bryan,
XSS attacks are already possible by those who can
edit the JS files by
using the document.write('<script src=" trick.
That is:
a) Available to sysops of particular project only
It would be easy enough to make the proxy functionality only work for
specific URLs defined in a mediawiki message page. Tada: back to the
same level of oversight and control that we already have.
Oh, and adding to Dschwen's initial point.. the code should remove any
session cookie and replace it with a cookie indicating a confirmed
username.
Again, this
already happens.
How? When?
Any sysop can already insert scripts which call remote scripts which
have ongoing communication by inserting script tags over and over
again. It's kludgy but it works.
It's also possible to use an invisible iframe as a request proxy off
to another domain:
http://blog.monstuff.com/archives/000304.html
In terms of security profile adding a proxy wouldn't change anything..
but it would allow legitimate tool authors to avoid ugly kludges
needed to work around the 'security behavior'.