On Tue, May 27, 2014 at 10:10 PM, Matthew Flaschen <[email protected]>wrote:
> On 05/27/2014 10:52 PM, Brian Wolff wrote: > >> I specifically said bits.wikimedia.org and upload.wikimedia.org (and not >>> >> commons.wikimedia.org), neither of which host user JavaScript. >> >>> >>> Matt Flaschen >>> >>> >>> >> Gadgets are on bits and they are user controlled. Ditto for >> mediawiki:common.js et al. (Unless you mean users as in non admins). >> I see no usecase from allowing from bits. If someone wants an extension >> asset they can upload it. >> > > You're right, I was completely wrong about the user JavaScript. Actually, > user scripts are on bits too. Conceivably, it could limit it to > directories starting with static-..., but that starts getting complicated. > It's probably safer to limit it to user-uploaded Commons files as you said. > It *should* be difficult to get javascript to run inside an image-- you would have to find an element that we allow that interprets javascript source. If anyone comes up with a way, I'd be very interested in hearing about it. If the javascript is already in an svg, then it's much easier to get it to execute. But overall it's much safer to just not allow it, which is why we currently don't. > > Matt Flaschen > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
