https://bugzilla.wikimedia.org/show_bug.cgi?id=69596
Rainer Rillke @commons.wikimedia <ril...@wikipedia.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ril...@wikipedia.de --- Comment #2 from Rainer Rillke @commons.wikimedia <ril...@wikipedia.de> --- (In reply to Michael M. from comment #1) naak naak naak, again such a security nonsense; the same as in Bug 48931 -- either we trust user scripts and this is what we currently do (see below) or we don't and they must be completely removed. 1) Do you store passwords in your browser for Commons? Firefox? Please log out and go to https://commons.wikimedia.org/w/index.php?title=Help:Gadget-Cat-a-lot&withJS=MediaWiki:ActivateGadget.js&gadgetname=Cat-a-lot -- see your password will be pre-filled and my evil script could read it. Scary, isn't it :~) 2) Malicious scripts could, at any time create a fake login form like "We are sorry, but your session expired. Please log in again ... blah blah Password: [_______]". We are not actively telling users that they should only use [[Special:UserLogin]] for security reasons and never enter their password on a different page. 3) There is an API module for login and it's not only useful to bots. The security claims are void, let's move forward. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l