Add $wgAllowSiteJSOnRestrictedPages to allow JS on restricted special pages
Closed, DeclinedPublic

Description

Parts of my responsive design are done by MediaWiki:Common.js and this fails.

See also: T73621: Not loading site CSS on Special:UserLogin/Preferences breaks wikis which use it to create a skin/theme which resulted in the addition of $wgAllowSiteCSSOnRestrictedPages

Subfader created this task.Aug 13 2015, 6:52 PM
Subfader updated the task description. (Show Details)
Subfader raised the priority of this task from to Needs Triage.
Subfader added a subscriber: Subfader.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 13 2015, 6:52 PM
Ciencia_Al_Poder set Security to None.

We already added this setting to MediaWiki to allow you to enable site CSS on high security pages on your wiki... I don't understand what you're asking for here.

I ask for Javascript. There are cases where admins don't open security holes

A wiki may have userJS disabled or https://www.mediawiki.org/wiki/Extension:UserPageEditProtection

MediaWiki is not Wikipedia.

Legoktm added a subscriber: Legoktm.

Parts of my responsive design are done by MediaWiki:Common.js and this fails.

Why not use a proper skin?

csteipp edited projects, added Security-Team; removed Security.Aug 13 2015, 11:52 PM

Parts of my responsive design are done by MediaWiki:Common.js and this fails.

Why not use a proper skin?

Because proper responsive design is responsive on all devices including desktop..

Aklapper triaged this task as Lowest priority.Aug 14 2015, 12:47 PM

Why not use a proper skin?

Because proper responsive design is responsive on all devices including desktop..

I mean, why is your responsive design not part of a proper skin that has resources stored on the server instead of wiki pages?

Krinkle added a subscriber: Krinkle.Apr 9 2018, 6:41 PM

I mean, why is your responsive design not part of a proper skin that has resources stored on the server instead of wiki pages?

Indeed. I would propose declining this request for the reason that adding this feature encourages a bad practice and does not actually provide new abilities. Site admins can already create skins with custom CSS and JS by registering the skin in LocalSettings.php, which works on restricted pages. If you need assistance, I'd recommend asking at Support desk (or SO). If you want, the skin could even register its module source as a wiki page, if editing files on the server is causing difficulty.

FWIW, from a security perspective, I've always been pretty unconvinced of how useful this restriction is. At best, it may slow down an unsophisticated attacker. But its pretty easy for a malicious person to work around.

Aklapper closed this task as Declined.May 9 2018, 10:58 AM