User blog comment:Kirkburn/Technical Update: September 2, 2015/@comment-5973717-20150904162145/@comment-5065259-20150905205737

Thanks for clarifying though its probably for the best if only staff is able to edit personal js/css besides the user considering that we get complaints on central over actual legit abusive or mean admins. now that this is a bit more widely known fact, if its turned back on for admins there is a higher chance it will be abused just like the loophole that existed before the moderator removed the ability for regular users to restore an admin closed thread by removing said thread then restoring it. there are very few people that i even bother to ask for help that involves js or css and i'm not sure if granting those the right to edit these is a good solution. it might be better to move editinterface to a new right for admins to grant to others, its safer too since anyone's able to create a wiki which gives them access to the mediawiki namespace despite that namespace under lockdown currently.

the number one issue despite giving the option to turn on personal js or css is, a rogue admin could very easily add arbitrary JS or CSS on a random wiki that was never visited before, that could very easily cause issues. I doubt VSTF would intervene to remove it since its not in their scope and direct to staff to clean it up.

not all scripts are in the mediawiki namespace, we do have a couple of scripts that are imported from the user namespace - notably chathacks by monchoman45. while i agree that those should be moved to the mediawiki namespace, not always are those users admin and thus would lose the ability to update the script since only admins have the editinterface permission. When i mentioned to ask the dev wiki to check forking code, i was not implying that any of them had the responsibility or were obligated to actually check it.

either way, what's important now is to fix the security problems and prevent further unnecesarry risks. since the default settings is to allow only users to edit their own js or css, that should be kept with staff able to perform emergency edits rather than admins who could potentially make it worse. that being said, admins should not automatically have the right to the mediawiki namespace rather a new group. only users who are competent or are somewhat capable should be allowed to, should require community/admin approval to get the right from staff. admins/bcrat should not be granting this as those who are not competent would just grant it to themselves creating unnecesarry risk. while one could say that this would limit everyone from editing js or css, that's a lot better than having exploits.