https://bugzilla.wikimedia.org/show_bug.cgi?id=25886
Krinkle <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #11 from Krinkle <[email protected]> 2012-09-18 13:50:04 UTC --- (In reply to comment #3) > I think this could be solved by simply adding the header: > > Access-Control-Allow-Origin: * > > to all bits.wikimedia.org requests ? Unless we have non-public data that comes > from that server, but I doubt that such data uses the bits server, because it > would not be cache-able. > > Geoiplookup has a similar security issue I guess, but that does carry > sensitive > data, and thus needs specific Origin targeting (API has this I believe). bits.wikimedia.org should be restricted the same way as the API. Though on second thought: * /geoiplookup - Easily worked around, there are many public IP-to-location systems out there. The IP itself is not easily retrievable except with another domain available. We probably shouldn't be that domain. * /../load.php: Modules can be private (e.g. user.options contains preferences), however these are already protected in load.php (e.g. try https://bits.wikimedia.org/www.mediawiki.org/load.php?debug=false&modules=user.options&only=scripts). Private modules can only be loaded from server output. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
