Message: 11
Date: Mon, 1 Nov 2010 07:29:18 +0000 (UTC)
From: Tisza Gerg? <gtisza(a)gmail.com>
Subject: Re: [Wikitech-l] Cross wiki script importing
To: wikitech-l(a)lists.wikimedia.org
Message-ID: <loom.20101101T082118-175(a)post.gmane.org>
Content-Type: text/plain; charset=utf-8
Raimond Spekking <raimond.spekking <at> gmail.com> writes:
Try something like
importScriptURI('http://ml.wikipedia.org/w/index.php?title=Mediawiki:ru…javascript');
That will break HTTPS security though. I use this script on my home wiki:
[snip]
May I ask how? If you're logged in to the secure server, then the
cookies won't get transmitted to the unsecure server when loading js
from them. At the very worse (if we really put on our tin foil hats) I
suppose someone could intercept the non-secured js script, do a man in
the middle type thing and replace the script with malicious js.
However if someone actually has the ability to do that, they could
already do that with the geoip lookup. Thus I don't see how doing the
importScriptURI reduces security.
-bawolff