Tim Starling wrote:
For example, if a hacker wanted a page deleted
Deletion is not editing. Stick to the topic!
they could write some javascript, put it up on
their website, then
post a link to it on the user talk page of an administrator.
Which is OK, if it's just an edit, and it will be posted by its IP
(rather than the admin's username).
No, it'll be posted under the admin's username. The request is sent with the
cookies associated with the site that is posted to. Due to privacy
restrictions on javascript, the script cannot obtain the text of any pages
requested from another domain, so we deny requests from offsite javascript
by requiring all write operations to first obtain a key from a page on our site.
The code and all the problems with it are shared between deletion and editing.
-- Tim Starling