https://bugzilla.wikimedia.org/show_bug.cgi?id=11106
Chris Steipp <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #11 from Chris Steipp <[email protected]> --- (In reply to Krinkle from comment #7) > I'm not sure I see how making this entire thing a configuration variable is > a good thing. Security should not be configurable. My reason for +2'ing that is that I'd prefer an admin, who really wants to allow some of that css through, put it in their configuration rather than doing their own hack in core, which would be less secure for them. At the WMF, I would likely never be ok with an exception allowing any url()'s through, so if that really is Danny B.'s only motivation, someone should probably just update the title and wontfix this bug. > I recommend this feature be reverted and we figure out a way to enable this > other use of url() in a sane way. Whether we want that way to be allowed > always or behind an opt-in flag is a separate question, but I don't think > there is valid use case for making the entire thing configurable. That only > complicates maintenance, security updates, and overall mobility of wikitext > between sites. I'm fine with reverting it this change, since Timo and Tim seem to feel strongly about it. Also it definitely hurts the mobility of wikitext between sites, I hadn't considered that aspect of it. I'm honestly skeptical we can find a sane way to support urls in css, but I'm open to being surprised. And again, if that's the goal, let's change the bug reflect what's actually wanted. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
