On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott
<datzrott(a)alizeepathology.com> wrote:
This seems completely reasonable to me. I'd merge
is personally. Is there
any reason not to?
It's fairly easy to inject javascript via css, so merging that patch
means an admin can run javascript on the login/preferences page, while
we specifically block javascript from Common.js, etc.
For me, I like knowing that when I login on a random wiki in our
cluster, a site admin can't have (maliciously or unintentionally) put
javascript on the login page to sniff my password. I'd prefer Kunal's
patch had a feature flag so we could disable this on WMF wikis, but
sites with robust auditing of their common.css can enable it.