[MediaWiki-l] [Wikitech-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

Chris Steipp csteipp at wikimedia.org
Fri Nov 7 00:45:08 UTC 2014

On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott
<datzrott at alizeepathology.com> wrote:
> This seems completely reasonable to me. I'd merge is personally.  Is there
> any reason not to?

It's fairly easy to inject javascript via css, so merging that patch
means an admin can run javascript on the login/preferences page, while
we specifically block javascript from Common.js, etc.

For me, I like knowing that when I login on a random wiki in our
cluster, a site admin can't have (maliciously or unintentionally) put
javascript on the login page to sniff my password. I'd prefer Kunal's
patch had a feature flag so we could disable this on WMF wikis, but
sites with robust auditing of their common.css can enable it.

More information about the MediaWiki-l mailing list