User talk:Ilmari Karonen/JS injection demo - Revision history

Ilmari Karonen: seems to be fixed now

2008-12-08T21:50:09Z

seems to be fixed now

AngelHerraez at 20:50, 8 December 2008

2008-12-08T20:50:13Z

Ilmari Karonen: I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context

2008-11-29T20:22:40Z

I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context

AngelHerraez: discuss the risk involved

2008-11-29T19:26:53Z

discuss the risk involved

New page

Right, Jmol can invoke javascript commands, so the MediaWiki extension channels those commands.

But most pages do run javascript.
What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions?
--[[User:AngelHerraez|AngelHerraez]] 20:26, 29 November 2008 (CET)

← Older revision		Revision as of 21:50, 8 December 2008
Line 8:		Line 8:

	:: Ilmari, can you please check the page again? I have done some fixes in the extension and it is now updated in this wiki. No javascript should be executed by the extension now. --[[User:AngelHerraez\|AngelHerraez]] 21:50, 8 December 2008 (CET)		:: Ilmari, can you please check the page again? I have done some fixes in the extension and it is now updated in this wiki. No javascript should be executed by the extension now. --[[User:AngelHerraez\|AngelHerraez]] 21:50, 8 December 2008 (CET)
		+
		+	::: Yup, seems to be fixed now. Thanks. --[[User:Ilmari Karonen\|Ilmari Karonen]] 22:50, 8 December 2008 (CET)

← Older revision		Revision as of 20:50, 8 December 2008
Line 6:		Line 6:

	:As a random, unprivileged editor, I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context. If I can do that, I can e.g. make edits or send e-mail to other users in your name, obtain information about your computer and your browsing habits that the wiki software doesn't normally reveal, or even trick you into giving me your wiki password, which I can then try to use to log onto other sites. The last part isn't quite as easy on the latest MediaWiki versions than it is on e.g. MediaWiki 1.12 (as used on this site), since a few of the more obvious ways to do that have been plugged, but it's certainly still possible. --[[User:Ilmari Karonen\|Ilmari Karonen]] 21:22, 29 November 2008 (CET)		:As a random, unprivileged editor, I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context. If I can do that, I can e.g. make edits or send e-mail to other users in your name, obtain information about your computer and your browsing habits that the wiki software doesn't normally reveal, or even trick you into giving me your wiki password, which I can then try to use to log onto other sites. The last part isn't quite as easy on the latest MediaWiki versions than it is on e.g. MediaWiki 1.12 (as used on this site), since a few of the more obvious ways to do that have been plugged, but it's certainly still possible. --[[User:Ilmari Karonen\|Ilmari Karonen]] 21:22, 29 November 2008 (CET)
		+
		+	:: Ilmari, can you please check the page again? I have done some fixes in the extension and it is now updated in this wiki. No javascript should be executed by the extension now. --[[User:AngelHerraez\|AngelHerraez]] 21:50, 8 December 2008 (CET)

← Older revision		Revision as of 20:22, 29 November 2008
Line 4:		Line 4:
	What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions?		What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions?
	--[[User:AngelHerraez\|AngelHerraez]] 20:26, 29 November 2008 (CET)		--[[User:AngelHerraez\|AngelHerraez]] 20:26, 29 November 2008 (CET)
		+
		+	:As a random, unprivileged editor, I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context. If I can do that, I can e.g. make edits or send e-mail to other users in your name, obtain information about your computer and your browsing habits that the wiki software doesn't normally reveal, or even trick you into giving me your wiki password, which I can then try to use to log onto other sites. The last part isn't quite as easy on the latest MediaWiki versions than it is on e.g. MediaWiki 1.12 (as used on this site), since a few of the more obvious ways to do that have been plugged, but it's certainly still possible. --[[User:Ilmari Karonen\|Ilmari Karonen]] 21:22, 29 November 2008 (CET)