Does my application need a security review

Different projects require different levels of involvement from the Security team. These can include one or more of:
 * Review by Platform's Security member during design
 * Review by Platform's Security member before deployment
 * Review by a security enthusiast on your team
 * Self assessment

All significant new MediaWiki features or new MediaWiki extensions should have browser tests defined that allow our Web_application_security_scanner to find an scan inputs.

Review by Platform's Security member during design
The follow situations need to have input from members of Platform's security team early in the development process. These features need to be designed and implemented correctly, or will often require significant work to fix.
 * The feature or application involve changes to MediaWiki's user authentication, authorization, or session management. Or implementing your own.
 * Changing the security controls that MediaWiki uses for database, command execution, or output sanitization. Or implementing your own.
 * Changing the user rights or permissions within MediaWiki
 * New services or entry points into MediaWiki

Review by Platform's Security member before deployment

 * Does your feature or application display private data to privileged users

Review is probably not needed
If the following conditions are met, your application or feature may not need a security review.
 * The extension or feature was written and reviewed by users who currently have +2/merge rights for MediaWiki core, and the extension or feature was reviewed with the intent and level of care for deploying it on a WMF wiki.

- OR -


 * The feature does not run on a WMF domain, or any domain with CORS access to a WMF domain.
 * And the application/feature does not handle any data protected by the WMF privacy policy