On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott <[email protected]> wrote: > This seems completely reasonable to me. I'd merge is personally. Is there > any reason not to?
It's fairly easy to inject javascript via css, so merging that patch means an admin can run javascript on the login/preferences page, while we specifically block javascript from Common.js, etc. For me, I like knowing that when I login on a random wiki in our cluster, a site admin can't have (maliciously or unintentionally) put javascript on the login page to sniff my password. I'd prefer Kunal's patch had a feature flag so we could disable this on WMF wikis, but sites with robust auditing of their common.css can enable it. _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
