WordPress MU

I've just checked in a change to wp-settings.php so that cookies are visible to a whole domain, not just the hostname they were set on.

What this means in practical terms is if you are using VHOSTS then you can go to another blog on your domain and be logged in. WHen logging in through the main blog you'll be automattically redirected to your own dashboard and logged in!

Unfortunately, this has an implication for security. You should be certain that untrusted Javascript cannot run on user blogs. Javascript can be used to steal cookies very easily. Once someone gets your cookies it's very easy for them to login as you and do bad things.

This has always been the case for subdir blogs because they're running on the same hostname.

Good move, i had already made such a modification on my installation.
If they were allowed to use javascript they could do it with the previous setup anyway. js for users = evil.

How I can disable JS on user's blogs?

It's already done :)

donncha,

This will also help with comments true?

Yes, like on wordpress.com, you'll be logged in automatically when you want to comment on a blog on your site which is rather nice. :)

I wonder if I should be using this as an excuse over on the WP.com forums for one of the reasons why User installed JavaScripts are a bad idea.

Oh most certainly! This is one of the main reasons why they're not allowed, although AFAIK, the new https login on the site exposes less information to each blog. I can't tell what happens when you visit a blog through http:// though, that may make the wordpressuser/wordpresspassword cookies visible again.