https://bugzilla.wikimedia.org/show_bug.cgi?id=46902
Brad Jorsch <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #5 from Brad Jorsch <[email protected]> --- (In reply to comment #2) > (In reply to comment #1) > > Could take away editinterface away from sysops, But that means they can't > > edit > > any message in the mediawiki ns, Which would be bad. But stops any of the > > edits > > to js/css that effects all users > > A number of people should have access, but some number less than the > thousands > that can edit enwiki would be nice ;) Isn't that just a matter of not giving many people sysop? Or you could do as mentioned in comment #1 (remove editinterface from sysops) and give editinterface to a different, more limited group. You'd probably also want $wgAllowUserJs and $wgAllowUserCss set to false. > > > * Disallow any iframing > > > > We do this by default these days iirc, Or at least tim has coded it. > > There are a lot of pages (e.g., action=view for articles) that override that, > unfortunately. We would probably clean those up so we can disable all of > them. There's already $wgBreakFrames that looks like it would force anything using OutputPage::output() to always set X-Frame-Options: DENY. But be careful you don't break the iframe-based login check from Gerrit change 58924. Since it doesn't use OutputPage::output(), it should be safe from $wgBreakFrames. > Most of the XSS we've seen have required some input. My preference would be > no user controlled data. Take away everything except 'read' from *, users, and autoconfirmed? ;) (does CentralAuth need 'createaccount' and/or 'centralauth-merge' to create the local account during login?) -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
