User blog comment:Kirkburn/Technical Update: September 2, 2015/@comment-5973717-20150904162145/@comment-166269-20150904165436

Admins have always had the ability to edit the personal CSS and JS pages of any user. This means that a rogue or vindictive admin, or someone who's managed to hack an admin account, could add arbitrary CSS or JS for any user, which would be automatically and immediately applied for them the next time they visited Wikia while logged in, without their consent or knowledge (caching notwithstanding). The removal of the ability for admins to edit arbitrary user CSS/JS mitigates this attack vector, of course, but the addition of a user preference for enabling user JS in the first place, and defaulting it to disabled, allows Wikia to keep their options open going forward, so that they might later be able to reenable admin editing of these pages, to some degree at least, or perhaps even introduce a more general system that could allow non-admins to edit these pages under specific circumstances,