Pascal Voitot wrote: > see below > > On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[EMAIL PROTECTED]> wrote: > > >> Sergiu pointed to me this had already been discussed in this thread : >> http://markmail.org/message/nirue2ug5ahbsy5b >> >> I agree the security concerns are not very simple to deal with if we >> want to do this. >> >> > > I'm currently thinking about this... > XSS is really ennoying :)... > but we fear about the JSX extension but is there any security against JS > injection in any Wiki page ? > > At least, JSX could be used as a kind of firewall... > imagine we create some JSX configuration parameters such as "Allowed JSX > external URLs"... (this is just an idea :) )... > Then when you call $jsx.use(externalurl), it is rendered by the JSX > extension which would verify the URL is allowed and if not would generate an > error... >
Yes, a white list would do the trick. Another idea would be to protect calls to external libs with programming rights in the plugin, thus transferring the responsibility to call only non malicious URLs to the developer(s). Jerome > PAscal > > > >> Jerome. >> >> Jerome Velociter wrote: >> >>> I'm now thinking about another possibility : letting the actual >>> extensions (documents with JavaScriptExtensions objects) letting declare >>> their libraries dependencies. We could create a new class for this, >>> which would have the path (absolute in case the file is distant, or name >>> of the file if it's on the FS) as a property. This way an extension can >>> declare as many deps as it needs. >>> >>> This is not necessary incompatible with the proposition below, we could >>> have both. >>> >>> Jerome. >>> >>> Jerome Velociter wrote: >>> >>>> Hello, >>>> >>>> Following the open question #1 here >>>> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage >>>> >>>> " >>>> Open question 1: Should $jsx.useFile("filename.js") work for files >>>> located on the disk? This allows the same pull process to be used with >>>> files located in the skin, without requiring SX documents and objects. >>>> I'd say yes. Then, what should the URL look like? >>>> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? >>>> " >>>> >>>> I would like to propose to go even further, and to allow injection of >>>> script tags referring libraries on the cloud or on a different server >>>> using the jsx plugin. This would allow to not have users writing scripts >>>> tags in the body of the document to add a library. >>>> >>>> I would see something like : >>>> >>>> $jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX";) >>>> >>>> or >>>> >>>> $jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX";) >>>> >>>> What do you think ? >>>> >>>> Regards, >>>> Jerome. >>>> _______________________________________________ >>>> devs mailing list >>>> [email protected] >>>> http://lists.xwiki.org/mailman/listinfo/devs >>>> >>> _______________________________________________ >>> devs mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/devs >>> >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> >> > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
