Smalyshev added a comment. > But if our wikis accept CORS requests from the service's domain, then an xss > in this service can lead to significant issues on the wikis (steal user > tokens,
Aren't our tokens HTTP only? If we allow content from *.wikidata.org to be injected to any wiki, then this means test.wikidata.org is included too and any domain that is in wikidata.org. Maybe we can set it to www.wikidata.org only? I'm not sure we need other wikis to pull anything from test.wikidata.org, do we? TASK DETAIL https://phabricator.wikimedia.org/T107602 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Joe, Smalyshev Cc: GWicke, greg, Lydia_Pintscher, csteipp, jcrespo, Legoktm, gerritbot, Smalyshev, BBlack, Joe, daniel, RobLa-WMF, Aklapper, aude, JanZerebecki, JeroenDeDauw, MrStradivarius, waldyrious, Krenair, MBlissett, bd808, Laddo, Addshore, Matanya, jkroll, Wikidata-bugs, Jdouglas, RobH, Manybubbles, mark, faidon, fgiunchedi, Dzahn, chasemp, Malyacko, P.Copp _______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs