On May 16, 2012, at 12:03 PM, Daniel Friesen wrote: > JSON callbacks can be initiated by 3rd party websites. Allowing json > callbacks to act as the logged in user would allow any website on the > internet to extract information that is supposed to be private and > potentially make unauthorized write actions on the wiki.
> Private wiki content could be extracted. Yep! Still can on some browsers. > Articles could be edited in your name. I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects against this as it is required for an edit: http://www.mediawiki.org/wiki/API:Edit > And up till recently it would have also been possible to make some > preferences changes that would effectively let someone take over your whole > account. I didn't know OptionsToken is new http://www.mediawiki.org/wiki/API:Options :-( Cool! Learn something new about mediawiki every day. Take care, terry _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
