https://bugzilla.wikimedia.org/show_bug.cgi?id=46902
--- Comment #2 from Chris Steipp <[email protected]> --- (In reply to comment #1) > Could take away editinterface away from sysops, But that means they can't > edit > any message in the mediawiki ns, Which would be bad. But stops any of the > edits > to js/css that effects all users A number of people should have access, but some number less than the thousands that can edit enwiki would be nice ;) > > * Minimize the amount of content and features, to reduce the risk for XSS > > vulnerabilities > > Depending on what context you want it to be used, eg: central place for > userpages, You wouldn't need many extensions that are outside the group thats > defaultly enabled. Most of the XSS we've seen have required some input. My preference would be no user controlled data. If it seems best to also use it for global user profiles, we'll need to be extra paranoid about what extensions are enabled. > > * Disallow any iframing > > We do this by default these days iirc, Or at least tim has coded it. There are a lot of pages (e.g., action=view for articles) that override that, unfortunately. We would probably clean those up so we can disable all of them. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
