Could someone explain a couple of things for me? The wording of the OP for the original bug[1] seems to say that there is some other global css/js which he refers to as "My global JS" which is different than Common.(js|css). Am I interpreting that correctly or are they the same thing???
Why would css/js of a site be considered insecure for the special pages like the login page if the site is already considered trusted in general by the user? Is this a standard security measure that all legit sites around the Internet use (forums/twitter/online banking/etc.)? Thanks, Al [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=68521 >________________________________ > From: Mark A. Hershberger <[email protected]> >To: MediaWiki-l <[email protected]> >Sent: Thursday, November 6, 2014 7:58 AM >Subject: [MediaWiki-l] MediaWiki:Common.js and MediaWiki:Common.css blocked >on Special:Login and Special:Preferences > > > > >TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and >release it with MediaWiki 1.24? > >A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to >customize the appearance of their site. > >In a recent security release[1], support for JS and CSS with on-wiki >origins was removed from being displayed on the Special:Login and >Special:Preferences page. > >Because of how the on-wiki MediaWiki:Common.* pages are used and the >access restrictions on them, I think it is reasonable to allow JS and >CSS from them while continuing to disallow individual's JS and CSS on >the Special:Preferences and Special:Login page. > >Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow >site-wide styling back on those pages. > >I'd like to merge this, but I want some input from the community and >security people before I do that. > >Thanks, > >Mark. > >(Reply-to set to mediawiki-l.) > > >Footnotes: >[1] https://bugzilla.wikimedia.org/70672 > >[2] https://bugzilla.wikimedia.org/71621 > >[3] https://gerrit.wikimedia.org/r/#/c/165979/ > > >-- >Mark A. Hershberger >NicheWork LLC >717-271-1084 > >_______________________________________________ >MediaWiki-l mailing list >To unsubscribe, go to: >https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
