Hi Strainu,
We were trying to balance how much data vs summary information to give to
people, but you can find the issues vs. resolution table here:
where you can follow the
discussion. The end result was that this was a low severity issue, we're
definitely not going to do away with user javascript, instead we may add a
warning if we can find a useful UX experience for the user.
On Mon, Apr 27, 2015 at 8:35 AM, Strainu <strainu10(a)gmail.com> wrote:
I personally find one of the suggestions in the report
worrying:
"Eliminate custom CSS/JavaScript. iSEC found multiple issues with the
custom JavaScript system.
This system appears to pose significant risk for relatively small
benefit. As such, iSEC recommends
that Wikimedia Foundation deprecate this functionality and allow users
instead to customize their
experience on the client side using browser extensions such as
Greasemonkey or Tampermonkey."
This is related to one of the problems identified by the team: "Users
can inspect each other's personal JavaScript"
While the custom JS is used by a relatively small number of users, the
ability to learn and copy another user's scripts has played an
important part in the development(and maintenance) of scripts that are
now considered essential by many Wikimedians (twinkle and wikied come
to mind).
Furthermore, replacing those script with Greasemonkey scripts would
lead to a "black market" of Wiki-scripts shared through channels
external to our sites. Those scripts would be even more prone to
social engineering attacks and could endanger our user's security.
I would like to know if the WMF is indeed considering completely
dropping the custom JS feature and if so, what is the timeline for
this change?
Thanks,
Strainu
2015-04-21 4:41 GMT+03:00 Pine W <wiki.pine(a)gmail.com>om>:
Thanks for your work on this, Chris.
Forwarding to Wikitech-l.
Pine
On Apr 20, 2015 4:58 PM, "Chris Steipp" <csteipp(a)wikimedia.org> wrote:
>
> On Apr 20, 2015 4:13 PM, "Andrew Sherman" <asherman(a)wikimedia.org>
wrote:
> >
> > Hello Everyone,
> >
> > We just published "Improving the security of our users on Wikimedia
> sites" to the blog. URL:
> >
> >
https://blog.wikimedia.org/2015/04/20/improving-security-for-our-users/
> >
> > Thanks to Chris for writing and helping us edit this post.
> >
> > Below are some proposed social media messages. Tweak as needed.
> >
> > Twitter
> >
> > We teamed up with @iSECPartners and @OpenTechFund to assess the
security
> of our sites. Check out the report here
[link]
> >
> > FB/G+
> >
> > We teamed up with iSEC Partners to assess the security of our sites
and
> protect the privacy of our users. Their
engineers developed attacks
against
the
current version of MediaWiki to identify security flaws, in a new
report sponsored by the Open Technology Fund. [link]
Maybe just "MediaWiki" instead of "the current version of
MediaWiki",
since we did a release to specifically fix issues that they found. Might
confuse some people as is.
Thanks,
--
Andrew Sherman
Digital Communications | Wikimedia Foundation
E: asherman(a)wikimedia.org
WMF: ASherman (WMF)
_______________________________________________
Social-media mailing list
Social-media(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/social-media
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l