On Thu, May 17, 2012 at 11:19 PM, Daniel Friesen
<lists(a)nadir-seen-fire.com>wrote;wrote:
On Wed, 16 May 2012 19:32:40 -0700, Terry Chay
<tchay(a)wikimedia.org>
wrote:
On May 16, 2012, at 12:03 PM, Daniel Friesen
wrote:
JSON callbacks can be initiated by 3rd party websites. Allowing json
callbacks to act as the logged in user would
allow any website on the
internet to extract information that is supposed to be private and
potentially make unauthorized write actions on the wiki.
Private wiki content could be extracted.
Yep! Still can on some browsers.
Articles could be edited in your name.
I thought
http://www.mediawiki.org/wiki/**Manual:Edit_token<http://www.mediawiki.o…
against this as it is required for an edit:
http://www.mediawiki.org/wiki/**API:Edit<http://www.mediawiki.org/wiki/A…
Yes. Except you can get tokens by the api. If we didn't drop permissions
to anon and reject requests for tokens to JSONP then it would be possible
for a 3rd party website to use JSONP to extract an edit token, and then
initiate a background iframe form POST to make an edit under your account.
Read up. :)
Terry/Roan mentioned that you can use regular JSON output format, and
override the property setter to steal the data.
--
Andrew Garrett
Wikimedia Foundation
agarrett(a)wikimedia.org