Difference between revisions of "User talk:Ilmari Karonen/JS injection demo"
Jump to navigation
Jump to search
AngelHerraez (talk | contribs) (discuss the risk involved) |
(I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context) |
||
| Line 4: | Line 4: | ||
What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions? | What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions? | ||
--[[User:AngelHerraez|AngelHerraez]] 20:26, 29 November 2008 (CET) | --[[User:AngelHerraez|AngelHerraez]] 20:26, 29 November 2008 (CET) | ||
| + | |||
| + | :As a random, unprivileged editor, I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context. If I can do that, I can e.g. make edits or send e-mail to other users in your name, obtain information about your computer and your browsing habits that the wiki software doesn't normally reveal, or even trick you into giving me your wiki password, which I can then try to use to log onto other sites. The last part isn't quite as easy on the latest MediaWiki versions than it is on e.g. MediaWiki 1.12 (as used on this site), since a few of the more obvious ways to do that have been plugged, but it's certainly still possible. --[[User:Ilmari Karonen|Ilmari Karonen]] 21:22, 29 November 2008 (CET) | ||
Revision as of 20:22, 29 November 2008
Right, Jmol can invoke javascript commands, so the MediaWiki extension channels those commands.
But most pages do run javascript. What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions? --AngelHerraez 20:26, 29 November 2008 (CET)
- As a random, unprivileged editor, I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context. If I can do that, I can e.g. make edits or send e-mail to other users in your name, obtain information about your computer and your browsing habits that the wiki software doesn't normally reveal, or even trick you into giving me your wiki password, which I can then try to use to log onto other sites. The last part isn't quite as easy on the latest MediaWiki versions than it is on e.g. MediaWiki 1.12 (as used on this site), since a few of the more obvious ways to do that have been plugged, but it's certainly still possible. --Ilmari Karonen 21:22, 29 November 2008 (CET)
