User blog comment:Rappy 4187/Technical Update: August 31, 2015/@comment-24473195-20150831233511/@comment-24473195-20150902091651

@Nerfmaster8

"if there is bad personal css or js, local admins can simply delete it."

No they can't. Admins cannot delete or create any js file at this point in time.

@kirkburn:

It would be nice if this option was expanded to block wiki-specific js too. That way, no matter what crazy "gimmicks" we admins put in the wikis the users are automatically shielded from it. That simple change would have reduced the impact of some issues and recent security exploits :


 * Redirects wouldn't have worked because the user wouldn't be running the wiki's js.
 * Script errors that break functionality (e.g. visual editor not working) would be a non-issue.

Considering that the vast majority of wikis don't use custom js, activating custom wiki-specific js on demand regardless of what the admins  want (e.g. autoplaying music) seems like a good approach in my opinion.