see below On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[EMAIL PROTECTED]> wrote:
> Sergiu pointed to me this had already been discussed in this thread : > http://markmail.org/message/nirue2ug5ahbsy5b > > I agree the security concerns are not very simple to deal with if we > want to do this. > I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ? At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error... PAscal > Jerome. > > Jerome Velociter wrote: > > I'm now thinking about another possibility : letting the actual > > extensions (documents with JavaScriptExtensions objects) letting declare > > their libraries dependencies. We could create a new class for this, > > which would have the path (absolute in case the file is distant, or name > > of the file if it's on the FS) as a property. This way an extension can > > declare as many deps as it needs. > > > > This is not necessary incompatible with the proposition below, we could > > have both. > > > > Jerome. > > > > Jerome Velociter wrote: > >> Hello, > >> > >> Following the open question #1 here > >> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage > >> > >> " > >> Open question 1: Should $jsx.useFile("filename.js") work for files > >> located on the disk? This allows the same pull process to be used with > >> files located in the skin, without requiring SX documents and objects. > >> I'd say yes. Then, what should the URL look like? > >> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? > >> " > >> > >> I would like to propose to go even further, and to allow injection of > >> script tags referring libraries on the cloud or on a different server > >> using the jsx plugin. This would allow to not have users writing scripts > >> tags in the body of the document to add a library. > >> > >> I would see something like : > >> > >> $jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX";) > >> > >> or > >> > >> $jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX";) > >> > >> What do you think ? > >> > >> Regards, > >> Jerome. > >> _______________________________________________ > >> devs mailing list > >> [email protected] > >> http://lists.xwiki.org/mailman/listinfo/devs > > > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
