Page MenuHomePhabricator
Create Task
Maniphest T177895

Allow logged in users to disable MediaWiki:Common.js and MediaWiki:Common.css
Open, MediumPublic
Actions

Description

MediaWiki:Common.js and MediaWiki:Common.css provide various styles and JavaScript that may not be wanted by a user for security (they provide a vector for attack) or aesthetic reasons (ie. they make heavy use of User css/js).

We should make this an opt-out experience.

Event Timeline

Jdlrobson created this task.Oct 10 2017, 11:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 10 2017, 11:07 PM
Aklapper added a comment.Oct 10 2017, 11:20 PM

Potentially implementation related: The safemode=1 URL parameter "temporarily deactivate(s) all on-wiki scripts at once"

Bawolff subscribed.Oct 10 2017, 11:26 PM

From a security prespective, the main risk (that a per-user off switch could address) is that these features allow making an xss "permenant" (excluding the risk of malicious admin). An option by itself wouldnt prevent that as a malicious person could just turn it back on. Would need to make the user do something like reenter password before reenabling

Bawolff added a comment.Oct 10 2017, 11:29 PM
In T177895#3674239, @Bawolff wrote:

From a security prespective, the main risk (that a per-user off switch could address) is that these features allow making an xss "permenant" (excluding the risk of malicious admin). An option by itself wouldnt prevent that as a malicious person could just turn it back on. Would need to make the user do something like reenter password before reenabling

Err nevermind i misread that as special:mypage/common.js

From a security prespective its unclear how useful this is since there are other sources than mediawiki:common.js of javascript a malicious admin can target

Bawolff edited projects, added Security-team-backlog; removed Security-Team.Sep 4 2018, 4:18 PM
chasemp edited projects, added Security-Team; removed Security-team-backlog.Dec 23 2019, 5:12 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.
chasemp triaged this task as Medium priority.Dec 23 2019, 5:19 PM
Reedy edited projects, added Security; removed Security-Team.Sep 2 2021, 4:55 PM
Remagoxer subscribed.May 4 2022, 1:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL