Hello all,
Please take a few seconds to have a look at http://bugzilla.wikimedia.org/show_bug.cgi?id=12681 and help with your comments about whether we should apply this change or not. Applying it will prevent people from spoofing the "new message" alert, but at the same time, will make the new message bar to appear where it never appeared before, which may not be desired.
Thanks in advance,
Hojjat (aka Huji)
On 1/24/08, Huji huji.huji@gmail.com wrote:
Please take a few seconds to have a look at http://bugzilla.wikimedia.org/show_bug.cgi?id=12681 and help with your comments about whether we should apply this change or not. Applying it will prevent people from spoofing the "new message" alert, but at the same time, will make the new message bar to appear where it never appeared before, which may not be desired.
Is a technical solution necessary? Is there consensus that "new message" spoofing should be prohibited?
Steve
On Fri, Jan 25, 2008 at 01:18:02AM +1100, Steve Bennett wrote:
Is a technical solution necessary? Is there consensus that "new message" spoofing should be prohibited?
I have yet to see anyone who supports spoofing. Some editors support (excessively, in my opinion) self-expression on user pages. But this proposed change doesn't curtail self expression, it merely makes it more difficult to use self-expression to spoof user interface. So I think would have agreement by the editors whose concern is self expression.
My concern has always been that spoofed UI could be used for various sorts of fraudulent purposes, since users by and large will trust that links which appear genuine are genuine, and that links without an external link marker are internal links.
Carl
On Jan 24, 2008 7:42 AM, Huji huji.huji@gmail.com wrote:
Please take a few seconds to have a look at http://bugzilla.wikimedia.org/show_bug.cgi?id=12681 and help with your comments about whether we should apply this change or not. Applying it will prevent people from spoofing the "new message" alert, but at the same time, will make the new message bar to appear where it never appeared before, which may not be desired.
Repeating (and expanding on) my comment from there: this is pointless, IMO. The usertalk thing can still easily be spoofed with absolute positioning, unless bug 9526 (http://bugzilla.wikimedia.org/show_bug.cgi?id=9526) is fixed. Adding the current user's name to the message is a much more sensible tactic; it would be impossible to spoof unless someone adds a JS-based {{username}} hack or something.
Of course, this doesn't affect me at enwiki. I decided more than a year ago (in the midst of some fight or other, I guess, I don't remember) that the default orange color was too traumatizing, so I added some user CSS:
.usermessage { background: lightgreen no-repeat 4px center url(http://upload.wikimedia.org/wikipedia/commons/thumb/b/b0/Smiley_head_happy.p...); border-color: green; padding: 0.5em 13px 0.5em 33px; }
Even that can be spoofed with something like <div class="usermessage" ....> I guess! ;)
On 1/24/08, Simetrical Simetrical+wikilist@gmail.com wrote:
On Jan 24, 2008 7:42 AM, Huji huji.huji@gmail.com wrote:
Please take a few seconds to have a look at http://bugzilla.wikimedia.org/show_bug.cgi?id=12681 and help with your comments about whether we should apply this change or not. Applying it
will
prevent people from spoofing the "new message" alert, but at the same
time,
will make the new message bar to appear where it never appeared before, which may not be desired.
Repeating (and expanding on) my comment from there: this is pointless, IMO. The usertalk thing can still easily be spoofed with absolute positioning, unless bug 9526 (http://bugzilla.wikimedia.org/show_bug.cgi?id=9526) is fixed. Adding the current user's name to the message is a much more sensible tactic; it would be impossible to spoof unless someone adds a JS-based {{username}} hack or something.
Of course, this doesn't affect me at enwiki. I decided more than a year ago (in the midst of some fight or other, I guess, I don't remember) that the default orange color was too traumatizing, so I added some user CSS:
.usermessage { background: lightgreen no-repeat 4px center url( http://upload.wikimedia.org/wikipedia/commons/thumb/b/b0/Smiley_head_happy.p... ); border-color: green; padding: 0.5em 13px 0.5em 33px; }
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 24/01/2008, Huji huji.huji@gmail.com wrote:
Even that can be spoofed with something like <div class="usermessage" ....> I guess! ;)
I went off-list to point that out - you may just have ruined Simetrical's clever scheme.
On Jan 24, 2008 3:52 PM, Huji huji.huji@gmail.com wrote:
Even that can be spoofed with something like <div class="usermessage" ....> I guess! ;)
Rats, you're right. :(
Anyway, as I say, I don't think this is necessary, personally.
Simetrical wrote:
On Jan 24, 2008 7:42 AM, Huji wrote:
Please take a few seconds to have a look at http://bugzilla.wikimedia.org/show_bug.cgi?id=12681 and help with your comments about whether we should apply this change or not. Applying it will prevent people from spoofing the "new message" alert, but at the same time, will make the new message bar to appear where it never appeared before, which may not be desired.
Repeating (and expanding on) my comment from there: this is pointless, IMO. The usertalk thing can still easily be spoofed with absolute positioning, unless bug 9526 (http://bugzilla.wikimedia.org/show_bug.cgi?id=9526) is fixed.
I don't see how is that "spoofing" dangerous. Sure, you can make them click a link, but so you can putting it anywhere else, and that way it's even easier to notice if it is doing any harm. What's the matter?
Huji wrote:
Please take a few seconds to have a look at http://bugzilla.wikimedia.org/show_bug.cgi?id=12681 and help with your comments about whether we should apply this change or not. Applying it will prevent people from spoofing the "new message" alert, but at the same time, will make the new message bar to appear where it never appeared before, which may not be desired.
I've reverted this change for now as the moved bar interferes with various templates in use on Wikimedia sites such as geolocation, protected and featured article icons, etc.
These are currently stuck up above the article content area with absolute positioning -- meaning it fails when there's more space than expected.
This has been an intermittent problem with the site notice, but with a big ol' bar that stretches across the whole content area it affects even people with large window sizes.
We'd like to figure out a nicer way to handle these templates; once that's done and we can remove the positioning hacks, we can revisit this sort of change.
-- brion
wikitech-l@lists.wikimedia.org