I think you're all overreacting: https://phabricator.miraheze.org/T3520
I've never even visited that wiki, and I would bet most of you did not either. See, the thing is that gadgets can include basically any JS. So you have to trust the wiki admins, not just Miraheze, when you visit a site. For most of us, we were never at risk. If you visited that wiki, they could have stole CSRF IDs and login names and session tokens, which would be enough to impersonate you -- until we cleared all of the sessions, which is what we did. In theory if you logged in through that domain, they could have gotten user/pass which would be a persistent threat... but as far as I know the script did not do that. The CSP will definitely help in the future, but there's always a matter of balancing threats with admins needs for customization. In theory, Google is trusted so it could carry out the same attack on a targeted user, and we can't do anything (well... subresource integrity, but that's only half of us).
I've never even visited that wiki, and I would bet most of you did not either. See, the thing is that gadgets can include basically any JS. So you have to trust the wiki admins, not just Miraheze, when you visit a site. For most of us, we were never at risk. If you visited that wiki, they could have stole CSRF IDs and login names and session tokens, which would be enough to impersonate you -- until we cleared all of the sessions, which is what we did. In theory if you logged in through that domain, they could have gotten user/pass which would be a persistent threat... but as far as I know the script did not do that. The CSP will definitely help in the future, but there's always a matter of balancing threats with admins needs for customization. In theory, Google is trusted so it could carry out the same attack on a targeted user, and we can't do anything (well... subresource integrity, but that's only half of us).
"Kitto daijoubu da yo." - Sakura Kinomoto