Hi Strainu, We were trying to balance how much data vs summary information to give to people, but you can find the issues vs. resolution table here:
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Check/iSEC_Assessment_2014 For the issue you pointed out in particular, we have https://phabricator.wikimedia.org/T85856 where you can follow the discussion. The end result was that this was a low severity issue, we're definitely not going to do away with user javascript, instead we may add a warning if we can find a useful UX experience for the user. On Mon, Apr 27, 2015 at 8:35 AM, Strainu <[email protected]> wrote: > I personally find one of the suggestions in the report worrying: > > "Eliminate custom CSS/JavaScript. iSEC found multiple issues with the > custom JavaScript system. > This system appears to pose significant risk for relatively small > benefit. As such, iSEC recommends > that Wikimedia Foundation deprecate this functionality and allow users > instead to customize their > experience on the client side using browser extensions such as > Greasemonkey or Tampermonkey." > > This is related to one of the problems identified by the team: "Users > can inspect each other's personal JavaScript" > > While the custom JS is used by a relatively small number of users, the > ability to learn and copy another user's scripts has played an > important part in the development(and maintenance) of scripts that are > now considered essential by many Wikimedians (twinkle and wikied come > to mind). > > Furthermore, replacing those script with Greasemonkey scripts would > lead to a "black market" of Wiki-scripts shared through channels > external to our sites. Those scripts would be even more prone to > social engineering attacks and could endanger our user's security. > > I would like to know if the WMF is indeed considering completely > dropping the custom JS feature and if so, what is the timeline for > this change? > > Thanks, > Strainu > > 2015-04-21 4:41 GMT+03:00 Pine W <[email protected]>: > > Thanks for your work on this, Chris. > > > > Forwarding to Wikitech-l. > > > > Pine > > On Apr 20, 2015 4:58 PM, "Chris Steipp" <[email protected]> wrote: > > > >> > >> On Apr 20, 2015 4:13 PM, "Andrew Sherman" <[email protected]> > wrote: > >> > > >> > Hello Everyone, > >> > > >> > We just published "Improving the security of our users on Wikimedia > >> sites" to the blog. URL: > >> > > >> > > https://blog.wikimedia.org/2015/04/20/improving-security-for-our-users/ > >> > > >> > Thanks to Chris for writing and helping us edit this post. > >> > > >> > Below are some proposed social media messages. Tweak as needed. > >> > > >> > Twitter > >> > > >> > We teamed up with @iSECPartners and @OpenTechFund to assess the > security > >> of our sites. Check out the report here [link] > >> > > >> > FB/G+ > >> > > >> > We teamed up with iSEC Partners to assess the security of our sites > and > >> protect the privacy of our users. Their engineers developed attacks > against > >> the current version of MediaWiki to identify security flaws, in a new > >> report sponsored by the Open Technology Fund. [link] > >> > >> Maybe just "MediaWiki" instead of "the current version of MediaWiki", > >> since we did a release to specifically fix issues that they found. Might > >> confuse some people as is. > >> > >> > > >> > Thanks, > >> > -- > >> > Andrew Sherman > >> > Digital Communications | Wikimedia Foundation > >> > > >> > E: [email protected] > >> > WMF: ASherman (WMF) > >> > >> _______________________________________________ > >> Social-media mailing list > >> [email protected] > >> https://lists.wikimedia.org/mailman/listinfo/social-media > >> > >> > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
