[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com changed: What|Removed |Added See Also||https://bugzilla.wikimedia. ||org/show_bug.cgi?id=71621 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 --- Comment #28 from Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com --- Bug 71621 is tracking the issue of site-wide styles not being loaded, and I've uploaded a patch for it. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 [[kgh]] mediaw...@kghoffmeyer.de changed: What|Removed |Added CC||mediaw...@kghoffmeyer.de --- Comment #25 from [[kgh]] mediaw...@kghoffmeyer.de --- This is indeed a big problem for wikis which use on-wiki custom skinning. Besides this indeed rather the regular case than a rare one. Now with some days having passed I can report that people even thought their login was maliciously hijacked since this page now looks totally different than the rest of the wiki. While the actual security increased the felt security dramatically plunged. :( I utterly agree with Bawolff. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Marc Schiffres schiff...@gmail.com changed: What|Removed |Added CC||schiff...@gmail.com --- Comment #26 from Marc Schiffres schiff...@gmail.com --- I'm in agreement with Alexia and Bawolff (and kgh). For sites that use that use massive custom changes to their skins, such as the background color or the sidebar, having all this not show up on Special:Preferences or Special:UserLogin really takes away more than the minimal security it adds. Given that, as Alexia said, only administrators can even edit these interface pages, it's only reasonable that they should affect the entire site. Using my own site as example: http://grisaiawiki.net/ where I changed all sorts of colors and styles through Common.css, I was a bit off-put when I noticed that my changes aren't showing up on a few pages. User-specific CSS and JS not showing up on these pages is fair, but site-wide interface edits should get through. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 --- Comment #27 from Chris Steipp cste...@wikimedia.org --- I talked with Kunal about this yesterday. My perspective is that admin controlled css is probably the least likely place someone is going to inject something malicious. The user controlled css is the part that scares me the most. I'd be ok with a config option to allow Common.css and the skin css files through. I'm not sure how much work that would be in resource loader. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Bawolff (Brian Wolff) bawolff...@gmail.com changed: What|Removed |Added CC||bawolff...@gmail.com --- Comment #24 from Bawolff (Brian Wolff) bawolff...@gmail.com --- FWIW, I don't think the security benefit (which is at best minimal) of this change is worth the inconvenience to users who do custom skinning by editing MediaWiki:Common.css (See also my email to wikitech-l https://lists.wikimedia.org/pipermail/wikitech-l/2014-October/078903.html ) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 timmr...@gmail.com changed: What|Removed |Added CC||timmr...@gmail.com --- Comment #22 from timmr...@gmail.com --- (In reply to Markus Glaser from comment #15) Giving early access to Wikia What about those of us who are running giant platforms as well such as Gamepedia? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Alexia E. Smith was...@gmail.com changed: What|Removed |Added CC||was...@gmail.com --- Comment #23 from Alexia E. Smith was...@gmail.com --- It appears this change is also affecting custom skin CSS(Mediawiki:Vector.css) instead of only cusotm user CSS. This prevents custom site styles, that are only editable by the site administrators, loaded through Mediawiki:Vector.css to not display when on those pages. Unfortunately that ends up being a jarring experience for the end user. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Krinkle krinklem...@gmail.com changed: What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED Target Milestone|1.23.x release |1.24.0 release -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Markus Glaser gla...@hallowelt.biz changed: What|Removed |Added Group|security| CC||agarr...@wikimedia.org Component|Core|User preferences Assignee|secur...@wikimedia.org |wikibugs-l@lists.wikimedia. ||org Product|Security|MediaWiki Target Milestone|--- |1.23.x release --- Comment #19 from Markus Glaser gla...@hallowelt.biz --- Publishing this bug as the release is out. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Kunal Mehta (Legoktm) legoktm.wikipe...@gmail.com changed: What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 Gerrit Notification Bot gerritad...@wikimedia.org changed: What|Removed |Added Status|RESOLVED|PATCH_TO_REVIEW Resolution|FIXED |--- -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 --- Comment #20 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 164271 had a related patch set uploaded by Legoktm: SECURITY: OutputPage: Remove separation of css and js module allowance https://gerrit.wikimedia.org/r/164271 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 70672] User specified CSS loads on Special:Preferences / Special:UserLogin
https://bugzilla.wikimedia.org/show_bug.cgi?id=70672 --- Comment #21 from Gerrit Notification Bot gerritad...@wikimedia.org --- Change 164271 merged by jenkins-bot: SECURITY: OutputPage: Remove separation of css and js module allowance https://gerrit.wikimedia.org/r/164271 -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
