https://bugzilla.wikimedia.org/show_bug.cgi?id=69596
Matthew Flaschen <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from Matthew Flaschen <[email protected]> --- (In reply to Michael M. from comment #1) > A login widget could be easily spoofed by a malicious user script (while > Special:Login is difficult to spoof). There's actually nothing that makes Special:UserLogin particularly difficult to spoof. Using malicious JavaScript, you can even spoof the actual URL using history.replaceState (https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history), so that when someone clicks a pre-determined link (or visits a particular wiki page), their browser URL bar will show the exact URL of the normal login page, and the web page can look like the login page. The solution is to keep a careful eye on all scripts in the MediaWiki namespace, and be cautious when installing user scripts. If we do add such a "login and stay on the page" feature (which is under discussion, e.g. as part of a potential "login and save your edit" combination workflow), we will also have to communicate it to avoid confusion. However, security concerns should not simply block all discussion and development of features in this area. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
