Page MenuHomePhabricator
Create Task
Maniphest T16534

New informational security message for user .js pages
Closed, DuplicatePublicFeature
Actions

Description

Author: rockmfr

Description:
There should be a system message that is displayed on the top of the page for user .js (and possibly .css) pages when both viewing the page and when editing.

Security is the prime motivation for this enhancement. Right now, there are a number of system messages that can be used to inform users that they may be screwing themselves by editing a page (clearyourcache, usercssjsyoucanpreview, and userinvalidcssjstitle are the ones I know of), but it would be better to have a single centralized system message for security-related information. The purpose of this new system message would be to inform users that any code they preview or save can have negative consequences.

It is possible to include such a message in the current system messages, but it is both a pain in the ass to target to the correct pages and not the purpose of these system messages. This current situation is fine for enwiki, but other wikis would certainly benefit from a centralized message.

Version: unspecified
Severity: enhancement

Details

Reference
bz14534

Event Timeline

bzimport raised the priority of this task from to Low.Nov 21 2014, 10:09 PM
bzimport added a project: MediaWiki-User-Interface.
bzimport set Reference to bz14534.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Jun 13 2008, 8:03 PM
siebrand added a comment.Aug 13 2008, 9:07 PM

Component: Unknown -> User interface

bzimport added a comment.Aug 13 2008, 9:30 PM

alexsm333 wrote:

The enwiki is NOT fine, because I see this useless warning on other users .js pages, which I cannot edit anyway. The proposed new message is not going to fix this annoyance unless it's shown only for the page owner.

Liuxinyu970226 subscribed.Oct 1 2016, 12:42 AM
Jdlrobson added projects: Security, Security-Team.Jan 13 2021, 7:50 PM
Krenair subscribed.Jan 14 2021, 1:18 AM
Reedy removed a subscriber: wikibugs-l-list.Jan 25 2021, 4:11 PM
sbassett removed a project: Security-Team.Jan 25 2021, 4:14 PM
sbassett subscribed.

The Security-Team discussed this during our clinic today. We don't really have a problem with this, conceptually, if it gains further support. We do not feel that it is a critical issue though and do not have the resources to work on implementation any time soon.

Aklapper changed the subtype of this task from "Task" to "Feature Request".Feb 4 2022, 11:01 AM
Pppery closed this task as a duplicate of T200878: Users should be warned againts putting arbitrary code to personal scripts.Apr 12 2023, 1:04 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL