[MediaWiki-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

Al alj62888 at yahoo.com
Fri Nov 7 19:35:26 UTC 2014


Could someone explain a couple of things for me?

The wording of the OP for the original bug[1] seems to say that there is some other global css/js which he refers to as "My global JS" which is different than Common.(js|css).  Am I interpreting that correctly or are they the same thing???

Why would css/js of a site be considered insecure for the special pages like the login page if the site is already considered trusted in general by the user?  Is this a standard security measure that all legit sites around the Internet use (forums/twitter/online banking/etc.)?

Thanks,
Al



[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=68521



>________________________________
> From: Mark A. Hershberger <mah at nichework.com>
>To: MediaWiki-l <mediawiki-l at lists.wikimedia.org> 
>Sent: Thursday, November 6, 2014 7:58 AM
>Subject: [MediaWiki-l] MediaWiki:Common.js and MediaWiki:Common.css blocked	on Special:Login and Special:Preferences
> 
>
>
>
>TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and
>release it with MediaWiki 1.24?
>
>A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to
>customize the appearance of their site.
>
>In a recent security release[1], support for JS and CSS with on-wiki
>origins was removed from being displayed on the Special:Login and
>Special:Preferences page.
>
>Because of how the on-wiki MediaWiki:Common.* pages are used and the
>access restrictions on them, I think it is reasonable to allow JS and
>CSS from them while continuing to disallow individual's JS and CSS on
>the Special:Preferences and Special:Login page.
>
>Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow
>site-wide styling back on those pages.
>
>I'd like to merge this, but I want some input from the community and
>security people before I do that.
>
>Thanks,
>
>Mark.
>
>(Reply-to set to mediawiki-l.)
>
>
>Footnotes: 
>[1]  https://bugzilla.wikimedia.org/70672
>
>[2]  https://bugzilla.wikimedia.org/71621
>
>[3]  https://gerrit.wikimedia.org/r/#/c/165979/
>
>
>-- 
>Mark A. Hershberger
>NicheWork LLC
>717-271-1084
>
>_______________________________________________
>MediaWiki-l mailing list
>To unsubscribe, go to:
>https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
>


More information about the MediaWiki-l mailing list