On Thu, May 17, 2012 at 11:19 PM, Daniel Friesen <[email protected]>wrote:
> On Wed, 16 May 2012 19:32:40 -0700, Terry Chay <[email protected]> > wrote: > > >> On May 16, 2012, at 12:03 PM, Daniel Friesen wrote: >> >> JSON callbacks can be initiated by 3rd party websites. Allowing json >>> callbacks to act as the logged in user would allow any website on the >>> internet to extract information that is supposed to be private and >>> potentially make unauthorized write actions on the wiki. >>> >> >> Private wiki content could be extracted. >>> >> >> Yep! Still can on some browsers. >> >> Articles could be edited in your name. >>> >> >> I thought >> http://www.mediawiki.org/wiki/**Manual:Edit_token<http://www.mediawiki.org/wiki/Manual:Edit_token>protects >> against this as it is required for an edit: >> http://www.mediawiki.org/wiki/**API:Edit<http://www.mediawiki.org/wiki/API:Edit> >> > > Yes. Except you can get tokens by the api. If we didn't drop permissions > to anon and reject requests for tokens to JSONP then it would be possible > for a 3rd party website to use JSONP to extract an edit token, and then > initiate a background iframe form POST to make an edit under your account. Read up. :) Terry/Roan mentioned that you can use regular JSON output format, and override the property setter to steal the data. -- Andrew Garrett Wikimedia Foundation [email protected] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
