I guess we would need some hook for checking when some piece of content is raw CSS/JS/HTML. We'll probably need that for extending editsitejs and similar permissions to some edge cases, so this might not be much work.

I'd like to see a more generic/general dropdown to filter by content model, which is a task I've been thinking about proposing and which would have general benefits aside from CSS/JS editing, for example being able to watch TemplateStyles edits, which is of general interest to me.

In T200766#8334633, @Izno wrote:

I'd like to see a more generic/general dropdown to filter by content model, which is a task I've been thinking about proposing and which would have general benefits aside from CSS/JS editing, for example being able to watch TemplateStyles edits, which is of general interest to me.

This task is about dangerous ressource edits, leaking privacy information by beacon (touching foreign domains by accessing small images etc.). This could be made by black hat sysops, e.g. in Russia, Belarus, Iran, Turkey etc. It will tell big business or governments who is reading or editing which Wikipedia article via which IP address, and ISP may be controlled by government.

• A TemplateStyles edit may be made by any anonymous user on the planet.
• Since TemplateStyles are sanitized, they are preventing bad code, as far as known.
• Your suggestion would overflow the surveillance of a few edits per day within entire WMF farm by lots of non-hazardous activities.
• It is not the business of global WMF security to worry about CSS rendering in certain articles somewhere.

In T200766#8335032, @PerfektesChaos wrote:

This task is about dangerous ressource edits [snip]

Huh? Exposing content model in the context of RecentChanges and Watchlist filters seems in the realm of trivial, and can be used to set up a filter which is exclusive to CSS and JavaScript content models for people concerned about such things. Open your mind just a bit to the more general value. :)

Incidentally,

Regular execution as gadget or skin/common configuration must be blocked if content model does not match expectation by page name extension.

Is actually T171563: Only allow MediaWiki, Gadget, and User namespace pages to be treated as JS or CSS (no project namespace, etc.)

You might not have understood the background, or living in English Wikipedia World only.

Imagine that a sysop in Chinese language Wikipedia is granted inteface admin, but on the payroll of Chinese secret service.

• Now in a dark corner of some gadget code an obfuscated touch of a governmental server is added, perhaps encoding username and pageid into URL.
• From now on every page viewing can be monitored, and page editing is connected as well with IP address of Chinese ISP, which is belonging to the state.
• On editing an article about Hongkong or Uigurs the Wikipedia author get sentenced to some years in jail or concentration camp, or even to death.

Exposing content model in the context of RecentChanges and Watchlist filters seems in the realm of trivial, and can be used to set up a filter which is exclusive to CSS and JavaScript content models for people concerned about such things.

This is from the view of a local community which has the power to control all technical things that happen. Be glad.

• This task here is about a world wide monitoring of all critical resource edits in all WMF projects.
• After a clean state has been found, and currently no security gaps are known, injection of malicious code shall be detected, at least for site resources.

for example being able to watch TemplateStyles edits

This task does not care about local CSS styling of rendering some pages.

• TemplateStyles edits are not known to have security risks since they are sanitized.

In T200766#8337168, @PerfektesChaos wrote:

You might not have understood the background, or living in English Wikipedia World only.

No, I understood the background perfectly. Do not presume.

• This task here is about a world wide monitoring of all critical resource edits in all WMF projects.

We do not need the tag system for this; content model is a quality of the page itself which should be visible to users in our change monitoring systems (watchlist/recentchanges). Filters can provide such visibility. They are moreover useful generally for the other cases noted; page tags are not.

If you think there should be an external tool for this, that is a different question which is not the purpose of MediaWiki-Change-tagging . If you actually want global visibility on such things (I don't think that's unreasonable), you should make that clear in the task description.

If what you want is local visibility, then you still have suggested a solution to a problem with multiple solutions, which is bad feature-requesting practice. That is why I indicated another solution that provides the same level of change monitoring but more generally.

The goal of this task is to monitor about 1000 wikis of WMF for hazardeous codes by global tech community.

What you are talking about is either non-hazardeous or just local in your own wiki.

This is not the scope of this task.

Please do not crash the thread by issues not related to this task.

Tagging activities of vulnerable coding is prerequisite for global surveillance. Otherwise there would be nothing which could be monitored.

This

The goal of this task is to monitor about 1000 wikis of WMF for hazardeous codes by global tech community.

Requires

A tool that surfaces edits to content model JS and CSS
A tool that does so globally

Which in fact requires no tagging. A particularly interested coder could put such a tool together using the replicas, or an extension, which provides a query against each database (recent changes to content model CSS and JS pages). I've adjusted the projects accordingly.