On Mon, 13 Feb 2012 17:10:47 -0800, K. Peachey <[email protected]> wrote:
On Tue, Feb 14, 2012 at 10:38 AM, Shivansh Srivastava
<[email protected]> wrote:
3. jQuery drop menu for login - (
https://svn.wikimedia.org/svnroot/mediawiki/trunk/mockups/ajax-mockups/Login/index.html#)
- Can be integrated with AJAX for an on the page account validation or
creation; without having to go to a different page. (
I believe we had a GSOC project not long ago (Last year?) to improve
the login progress (including the AJAX side of things and API support
for it). Although for security reasons I believe we would want to
leave the Login stuff on it's own page (for security reasons).
The idea that login is secure because it's on a separate page than the
rest of the site is actually an old mistake.
If a script is included ANYWHERE on the site on the same domain then it's
possible to inject in some code that will fake pageviews in a way that
will let an attacker have a running script when the user follows the login
link to the login page.
So there isn't really any security advantage of a separate login page over
an ajax login. (well ;) unless you're using the separate login page
because you have js disabled, then you're safe, heh)
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
