https://bugzilla.wikimedia.org/show_bug.cgi?id=11106
Krinkle <krinklem...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |krinklem...@gmail.com
--- Comment #7 from Krinkle <krinklem...@gmail.com> ---
I'm not sure I see how making this entire thing a configuration variable is a
good thing. Security should not be configurable.
Another big reason why url() is forbidden is to avoid cross-domain requests
being made from a wiki page (especially with regards to CSRF, DDOS, traffic
sniffing, privacy policy etc.).
When additional security issues are found and added to MediaWiki, existing
installs that customised this filter for some silly feature, will no longer be
using adequate security measures.
I recommend this feature be reverted and we figure out a way to enable this
other use of url() in a sane way. Whether we want that way to be allowed always
or behind an opt-in flag is a separate question, but I don't think there is
valid use case for making the entire thing configurable. That only complicates
maintenance, security updates, and overall mobility of wikitext between sites.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
