WMDE-leszek created this task. WMDE-leszek added a project: Wikidata. |
As pointed out in T186726, there is a possible to trick users of Wikibase UI to click on malicious things (clickjacking), e.g. when item page would be included in a HTML frame.
More description authored by @Bawolff in the said ticket, including possible ways to solve the problem.
Since this allows edit interaction directly on wikipage, it should take steps to prevent click jacking. Either _javascript_ should detect when the page is being framed, and refuse to load the editing related js code (Since the editing related code only happens if js is enabled, its safe to detect this condition in JS), or the extension can call OutputPage::preventClickjacking() (Which will totally disables frames altogether for both js and non-js users).
Cc: Aklapper, Lydia_Pintscher, WMDE-leszek, Bawolff, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, Wikidata-bugs, aude, Mbch331
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs