TL;DR: Should we merge https://gerrit.wikimedia.org/r/#/c/165979/ and release it with MediaWiki 1.24?
A lot of sites have used MediaWiki:Common.js and MediaWiki:Common.css to customize the appearance of their site. In a recent security release[1], support for JS and CSS with on-wiki origins was removed from being displayed on the Special:Login and Special:Preferences page. Because of how the on-wiki MediaWiki:Common.* pages are used and the access restrictions on them, I think it is reasonable to allow JS and CSS from them while continuing to disallow individual's JS and CSS on the Special:Preferences and Special:Login page. Alexia filed a bug[2] and Kunal (Legoktm) has provided a patch[3] to allow site-wide styling back on those pages. I'd like to merge this, but I want some input from the community and security people before I do that. Thanks, Mark. (Reply-to set to mediawiki-l.) Footnotes: [1] https://bugzilla.wikimedia.org/70672 [2] https://bugzilla.wikimedia.org/71621 [3] https://gerrit.wikimedia.org/r/#/c/165979/ -- Mark A. Hershberger NicheWork LLC 717-271-1084 _______________________________________________ Mediawiki-enterprise mailing list Mediawiki-enterprise@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise