Message: 11 Date: Mon, 1 Nov 2010 07:29:18 +0000 (UTC) From: Tisza Gerg? gtisza@gmail.com Subject: Re: [Wikitech-l] Cross wiki script importing To: wikitech-l@lists.wikimedia.org Message-ID: loom.20101101T082118-175@post.gmane.org Content-Type: text/plain; charset=utf-8
Raimond Spekking <raimond.spekking <at> gmail.com> writes:
Try something like
importScriptURI('http://ml.wikipedia.org/w/index.php?title=Mediawiki:rules.js?&action=raw...');
That will break HTTPS security though. I use this script on my home wiki:
[snip]
May I ask how? If you're logged in to the secure server, then the cookies won't get transmitted to the unsecure server when loading js from them. At the very worse (if we really put on our tin foil hats) I suppose someone could intercept the non-secured js script, do a man in the middle type thing and replace the script with malicious js. However if someone actually has the ability to do that, they could already do that with the geoip lookup. Thus I don't see how doing the importScriptURI reduces security.
-bawolff
On Tue, Nov 2, 2010 at 1:09 AM, bawolff bawolff+wn@gmail.com wrote:
May I ask how? If you're logged in to the secure server, then the cookies won't get transmitted to the unsecure server when loading js from them. At the very worse (if we really put on our tin foil hats) I suppose someone could intercept the non-secured js script, do a man in the middle type thing and replace the script with malicious js. However if someone actually has the ability to do that, they could already do that with the geoip lookup. Thus I don't see how doing the importScriptURI reduces security.
Firefox and IE will whine that the site attempts to load unsecure resources. Also, it is indeed possible to transmit cookies; it's enough that the user has also logged in into the unsecure servers in the past and is e.g. at a public WiFi hotspot now and so uses the secure gateway.
Marco
On Tue, Nov 2, 2010 at 4:10 PM, Marco Schuster marco@harddisk.is-a-geek.org wrote:
Firefox and IE will whine that the site attempts to load unsecure resources. Also, it is indeed possible to transmit cookies;
That is because its loading content from our uploads servers (aka Images), those domains are set not to send/set cookies.
On Mon, Nov 1, 2010 at 8:09 PM, bawolff bawolff+wn@gmail.com wrote:
May I ask how? If you're logged in to the secure server, then the cookies won't get transmitted to the unsecure server when loading js from them.
Unless you've logged into the insecure server at some point in the past.
At the very worse (if we really put on our tin foil hats) I suppose someone could intercept the non-secured js script, do a man in the middle type thing and replace the script with malicious js. However if someone actually has the ability to do that, they could already do that with the geoip lookup.
True, that's a separate problem.
wikitech-l@lists.wikimedia.org