--- Comment #10 from Aryeh Gregor <simetrical+wikib...@gmail.com> 2010-12-29
18:52:12 UTC ---
(In reply to comment #8)
> It’s more than “moderately annoying” . You said it yourself: the images
> could be replaced with something “malicious”. It’s more obvious how this could
> be a security risk when you consider that images could be used by gadgets or
> user scripts.
The images are cross-origin, so they can do basically nothing different from if
they were on some totally different site in a different tab. Gadgets and user
scripts cannot (AFAIK) access the contents of upload.wikimedia.org files at
all. Pretty much anything an attacker could do by MITMing these images, they
could do by MITMing some unrelated site you have open, assuming you have at
least one unsecured connection open. So that point is, yes, at most moderately
The issues of replacing the scripts, and snooping on the images to figure out
what pages you're viewing, are the significant ones.
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Wikibugs-l mailing list