[Bug 33372] New: Do not load CentralNotice on pages with password fields

bugzilla-daemon Sun, 25 Dec 2011 02:29:08 -0800

https://bugzilla.wikimedia.org/show_bug.cgi?id=33372


       Web browser: ---
             Bug #: 33372
           Summary: Do not load CentralNotice on pages with password
                    fields
           Product: MediaWiki extensions
           Version: any
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: CentralNotice
        AssignedTo: wikibugs-l@lists.wikimedia.org
        ReportedBy: duplicate...@googlemail.com
                CC: fr-t...@wikimedia.org, rkald...@wikimedia.org
    Classification: Unclassified


CentralNotice is not respecting OutputPage::disallowUserJs() on
Special:UserLogin, Special:ChangePassword (and maybe Special:ChangeEmail, it is
new in 1.19)

The disallowUserJs method is called for good reasons: To disallow sniffing
passwords with hijacked user or site javascript.

CentralNotice allows adding scripts written by users and a hijacked user
account can add a script to sniffing passwords or more.

Please do not load the CentralNotice on that pages. Thanks.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 33372] New: Do not load CentralNotice on pages with password fields

Reply via email to