MediaWiki has a concept of elevated security mode for sensitive operations but basically all it does is just require going through authentication periodically. That makes an XSS or similar attack harder, but the techniques still work, it's just the window of opportunity that gets smaller.
Instead, we should aim for a secure mode that's actually more secure: while the user is in that mode, we should disable functionality that can serve as an attack vector, even at the cost of making the experience more inconvenient; and visibly mark in the UI that the session is in secure mode, and offer an exit action.
A couple things that we could do to lock down secure mode:
- Disable custom JavaScript. We probably can't get away with disabling all of it, since some workflows involving sensitive functionality make heavy use of user scripts, e.g. steward or checkuser tools, but we should at least limit user-contributed scripts to the least insecure types, such as gadgets; and prevent the loading of user scripts belonging to different users, and scripts from another domain.
- Make aggressive use of CSP.
- Lock the session to the IP and user agent.
- Disallow CORS requests (or at least make them not happen in secure mode).
- On protocol-relative wikis, immediately exit secure mode if the user makes a request over HTTP.
- Renew the session ID when entering. (I think we do this already but should be double-checked.)
There are a couple more things that relate to non-public tasks and won't be mentioned here; see backlinks.