Page MenuHomePhabricator
Create Task
Maniphest T419347

Editing your own JS/CSS pages should maybe require elevated security
Open, Needs TriagePublic
Actions

Description

Similar to T197137: Editing sitewide JS/CSS pages should require elevated security and T419152: Editing user JS/CSS pages of another user should require elevated security, maybe we also want reauthentication before a user is able to edit their own JS? This is less clear-cut than the other two but there are scenarios where it would be useful:

  • When the user JS in question is used by many others (ideally this wouldn't happen, but it does, a lot; sometimes even site scripts include user scripts).
  • When an attacker wants to escalate a temporary account takeover (e.g. reflected XSS) into a permanent one
  • Specifically for global.js, an attacker could use it to escalate a Meta account takeover to all other sites.

Related Objects

Event Timeline

Tgr created this task.Mar 8 2026, 5:48 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 8 2026, 5:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr mentioned this in T419152: Editing user JS/CSS pages of another user should require elevated security.Mar 8 2026, 5:48 PM
Bugreporter subscribed.Mar 8 2026, 6:09 PM

As described at https://en.wikipedia.org/wiki/User:NYKevin/Interface_administrators_and_trusting_trust and its talk page, attacker can build a fake login page using JS to steal user's password.

Wellverywell subscribed.Mar 8 2026, 6:13 PM
RhinosF1 subscribed.Mar 8 2026, 6:34 PM
Johannnes89 subscribed.Mar 8 2026, 8:01 PM
Nirmos subscribed.Mar 8 2026, 8:45 PM
A_smart_kitten added a project: 2026-user-javascript-incident.Mar 8 2026, 8:54 PM
A_smart_kitten subscribed.

(tagging for visibility, as this proposal was split out of a task that FWICS was filed as a follow-up to the user javascript incident)

Nemoralis awarded a token.Mar 9 2026, 4:50 AM
Pppery removed a project: MediaWiki-User-Interface (actions).Mar 9 2026, 5:44 AM
ClaudineChionh subscribed.Mar 9 2026, 5:50 AM
kostajh subscribed.Mar 9 2026, 12:10 PM
OWresch-WMF triaged this task as Low priority.Mar 9 2026, 3:54 PM
OWresch-WMF moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.
OWresch-WMF raised the priority of this task from Low to Needs Triage.Mar 9 2026, 3:58 PM
OWresch-WMF moved this task from Q3 Kanban Board to Radar on the MediaWiki-Platform-Team board.
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team (Q3 Kanban Board).
Nux subscribed.Mar 9 2026, 8:49 PM
Bugreporter added a comment.EditedMar 12 2026, 2:21 PM

One point to note is some gadgets such as Twinkle stores its preferences in .js subpage of user pages, and provided a custom interface to edit it. (the modern way to manage such preference would be JSON. See T419938: Support per-user preference configuration.)

Novem_Linguae subscribed.Sun, Mar 15, 7:48 AM
FriedrickMILBarbarossa subscribed.Mon, Mar 16, 12:03 PM
FriedrickMILBarbarossa awarded a token.Mon, Mar 16, 12:05 PM
Catrope moved this task from Backlog to Q4 on the 2026-user-javascript-incident board.Wed, Mar 18, 4:51 PM
MLechvien-WMF added a project: Sustainability (Incident Followup).Thu, Mar 19, 11:42 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits