= Project Information
* Name of tool/project: TemplateStyles
* Project home page: https://www.mediawiki.org/wiki/Extension:TemplateStyles
* Name of team requesting review: n/a
* Primary contact: @coren
* Target date for deployment: Some time after the security review :-)
* Link to code repository / patchset: https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/extensions/TemplateStyles
== Description of the tool/project
Extension to allow per-template styling in Mediawiki. Result of the discussion at T483.
== Description of how the tool will be used at WMF
The intent is to deploy the extension to production wikis.
== Dependencies
List dependencies, or upstream projects that this project relies on
== Has this project been reviewed before? ==
Not beyond the code review at project creation.
== Working test environment ==
http://ts.wmflabs.org/w/index.php/Main_Page has a test wiki where the extension is deployed and tests have been conducted. A test environment requires nothing but a 1.25+ MW install and TemplateStyles loaded with wfLoadExtension().
= Post-deployment
I'll remain around to maintain the extension for the foreseeable future, but I expect there might be a desire to eventually fold this functionality into core.
= Notes
In addition to the usual security consideration, this extension extends the right to affect style sheets to all editors, by design, so there are a number of points we want to make certain of:
* UI elements should not be style-able by this method;
* no injection of non-CSS elements can be made to the rendered page;
* there exists no way for user-provided styles to run javascript (some CSS properties and values are known to be able to do this in several older browsers); and
* there exists no way for user-provided styles to cause the browser to fetch from an external resource.
Additionally, we will want to create a policy in terms of a blacklist and whitelist combination which will implement the security requirements we have.