https://bugzilla.wikimedia.org/show_bug.cgi?id=70584
--- Comment #2 from Chris Steipp <[email protected]> --- Sorry for the delay on this. Minor nitpick: The default central wiki is an http link, can you make that https, so we encourage that? That ties into the bigger issue with the extension-- The security of the each wiki becomes even more tied to that of the central wiki, since the parse is happening on the remote wiki. So we definitely want to be sure we're talking to the right remote server. But it also opens up some potential attacks that we haven't really had to deal with before. For example: * Someone who can add raw html to a page/template/message on the central wiki can add javascript to the local wiki, for any user. * If a url is blacklisted on the local wiki, but isn't blacklisted on the central wiki, a user can add it centrally and it gets rendered by the local wiki. * A local wiki oversighter can't delete/suppress content on the user page if they don't also have rights on the central wiki. Inside the WMF cluster, I don't think these will have a major impact, but I think https://www.mediawiki.org/wiki/Extension:GlobalUserPage should at least document that enabling this on a wiki means you totally trust the central wiki and the admins there. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
