[MediaWiki-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

Mark A. Hershberger mah at nichework.com
Thu Nov 6 14:58:25 UTC 2014



TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and
release it with MediaWiki 1.24?

A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to
customize the appearance of their site.

In a recent security release[1], support for JS and CSS with on-wiki
origins was removed from being displayed on the Special:Login and
Special:Preferences page.

Because of how the on-wiki MediaWiki:Common.* pages are used and the
access restrictions on them, I think it is reasonable to allow JS and
CSS from them while continuing to disallow individual's JS and CSS on
the Special:Preferences and Special:Login page.

Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow
site-wide styling back on those pages.

I'd like to merge this, but I want some input from the community and
security people before I do that.

Thanks,

Mark.

(Reply-to set to mediawiki-l.)


Footnotes: 
[1]  https://bugzilla.wikimedia.org/70672

[2]  https://bugzilla.wikimedia.org/71621

[3]  https://gerrit.wikimedia.org/r/#/c/165979/


-- 
Mark A. Hershberger
NicheWork LLC
717-271-1084



More information about the MediaWiki-l mailing list