https://bugzilla.wikimedia.org/show_bug.cgi?id=33372
Web browser: --- Bug #: 33372 Summary: Do not load CentralNotice on pages with password fields Product: MediaWiki extensions Version: any Platform: All OS/Version: All Status: NEW Severity: normal Priority: Unprioritized Component: CentralNotice AssignedTo: wikibugs-l@lists.wikimedia.org ReportedBy: duplicate...@googlemail.com CC: fr-t...@wikimedia.org, rkald...@wikimedia.org Classification: Unclassified CentralNotice is not respecting OutputPage::disallowUserJs() on Special:UserLogin, Special:ChangePassword (and maybe Special:ChangeEmail, it is new in 1.19) The disallowUserJs method is called for good reasons: To disallow sniffing passwords with hijacked user or site javascript. CentralNotice allows adding scripts written by users and a hijacked user account can add a script to sniffing passwords or more. Please do not load the CentralNotice on that pages. Thanks. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l