https://www.mediawiki.org/wiki/Extension:StatCounter.com_Integration
sc_project=11093954
sc_security="9472548e
https://www.mediawiki.org/wiki/Extension:StatCounter.com_Integration
sc_project=11093954
sc_security="9472548e
@labster I haven't looked at the code but IDisplay prevents immediate security concerns to me. Personally I'd like to see "SAFE" always forced on as I don't think external pages should be loaded without users consent.
Additionally I was hoping the stat counter thing would just be a public hit counter (in which case performance was the only concern) but it appears to be an external analytics / tracking service (StatCounter.com) that I know nothing about.
Extension:Statcounter.com_Integration is approved from a security point of view. From a policy point of view, who knows. See T680: Add statistics interface for founders/users
While it doesn't violate the letter of the rules, I'd like to know if we could provide something better internally. But maybe it's just a good idea to enable it now instead of dealing with all sorts of MW NS widgets, so we could disable it once we develop an alternative? I'd like another point of view on what to do here.
Extension:IDisplay is declined due to a super-obvious XSS vulnerability. I have emailed the author and asked for a new version, but it's pretty old so I don't know if the author will notice. Also the code is licensed under "GPL", so who knows what the real license is (2.0? 3.0?, Greg's Proprietary License?); I'm not entirely clear we have a license to use this code.
Just as an update I did get a license to reuse and redistribute the code for Extension:IDisplay and I've put a repo up here: https://github.com/miraheze/IDisplay That said I haven't really gotten time to update it and make it secure-ish. I think the main task is to have the overlay not depend on an outside server. I'd replace it with Javascript if practical.