HomePhabricator

SECURITY: OutputPage: Remove separation of css and js module allowance
d6a8d34bff2fUnpublished

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

SECURITY: OutputPage: Remove separation of css and js module allowance

  • No longer segment module origin allowance by an "only=" content

type. Both can be sensitive security-wise and there's no valid
use case for allowing CSS anywhere you want to disallow JS. Both
can significantly impact the user interface and cause unintended
actions to be taken on the user's behalf, or desired actions to
be made practically impossible.

  • While at it, also remove the ability to set the module allowance

directly. The reduceAllowedModuleOrigin method is all we need.
I couldn't find usage or mention of setAllowedModules() in
mediawiki-core nor in any other Wikimedia-hosted repository.

Bug: 70672
Change-Id: I0e82755aede6ddd7101b495802a45d5fd96b6722

Details

Provenance
KrinkleAuthored on
MglaserCommitted on Oct 1 2014, 8:36 PM
Parents
rMW9e6d512f99d5: Updated release notes and version number for MediaWiki 1.23.4
Branches
Unknown
Tags
Unknown
ChangeId
I0e82755aede6ddd7101b495802a45d5fd96b6722