On 9/4/07, Domas Mituzas <midom.lists(a)gmail.com> wrote:
What kind of change/revision management would those
URLs have? Are
copies archived/saved on toolserver for every script that gets
uploaded to accessible area? :)
No more or less than the zillions of pre-existing things invoked
remotely via <script src= today.
It doesn't help with session hijacking - you can
still get cookie
values with javascript, and send xmlrequest anywhere you want.
Indeed, you can.
You can also still do this *today* no new functionality is needed to
create this problem (audit trailless thingies stealing session
cookies).
Yes, it is one of current security problems, probably
the global .js
rights have to be moved from sysops to stewards :), but at least we
can track who and when added what (revision histories!) - there's no
such audit trail on toolserver.
Sysops can, have, and are adding script tag calls that call scripts
external to the local revision control.
It's also
possible to use an invisible iframe as a request proxy off
to another domain:
http://blog.monstuff.com/archives/000304.html
You won't be able to read contents of that frame, nor get cookies,
nor modify anything in frame document's DOM.
Sure you can: You make the code running outside of the iframe eval
anything string the iframe passes to it.
In terms of
security profile adding a proxy wouldn't change anything..
Now you join the camp of ignorant! :)
Hey ... I'm over here.. you're standing in front of a mirror. :)
but it would
allow legitimate tool authors to avoid ugly kludges
needed to work around the 'security behavior'.
the security behavior is to protect wikipedians.
Security is good. Failing to understand the current behavior and
existing practices is not.