MediaWiki has a concept of elevated security mode for sensitive operations but basically all it does is just require going through authentication periodically. That makes an XSS or similar attack harder, but the techniques still work, it's just the window of opportunity that gets smaller.
Instead, we should aim for a secure mode that's actually more secure: while the user is in that mode, we should disable functionality that can serve as an attack vector, even at the cost of making the experience more inconvenient; and visibly mark in the UI that the session is in secure mode, and offer an exit action.
A couple things that we could do to lock down secure mode:
- Make aggressive use of CSP.
- Lock the session to the IP and user agent.
- Disallow CORS requests (or at least make them not happen in secure mode).
- On protocol-relative wikis, immediately exit secure mode if the user makes a request over HTTP.
- Renew the session ID when entering. (I think we do this already but should be double-checked.)
There are a couple more things that relate to non-public tasks and won't be mentioned here; see backlinks.