Timwi wrote:
Tim Starling wrote:
For example, if a hacker wanted a page deleted
Deletion is not editing. Stick to the topic!
they could write some javascript, put it up on their website, then post a link to it on the user talk page of an administrator.
Which is OK, if it's just an edit, and it will be posted by its IP (rather than the admin's username).
No, it'll be posted under the admin's username. The request is sent with the cookies associated with the site that is posted to. Due to privacy restrictions on javascript, the script cannot obtain the text of any pages requested from another domain, so we deny requests from offsite javascript by requiring all write operations to first obtain a key from a page on our site.
The code and all the problems with it are shared between deletion and editing.
-- Tim Starling