> It'd be very nice to be able to add widgets, yeah. The problem with > that is that you have to design it very carefully, because allowing > Flash and Javascript can lead to significant security holes, which > would be Bad.
Jesse and I were talking about this the other night. The rules against JS/Flash were established before we forced per-user subdomains to be on. Once everything split out to subdomains, then the security policy became antiquated and should be revisited. I think it's probably okay to allow JS and Flash in styles. (NOT entries/comments as they can be viewed in various places!) But allowing someone to have really interesting styles? I could see that being a real possibility. > The solution's probably going to be to add specific widgets to a > whitelist -- build a system of "approved"/safe widgets that we pre- > screen and vet, let people configure them with their usernames/ > userIDs/what-have-you, and add them that way. Yes, a whitelist is the easiest way to do this sort of thing, and there are already some whitelisted flash things like the the YouTube/embedding stuff. (Which, we need to make sure that sort of thing works on DW...) -- Mark Smith / xb95 [email protected] _______________________________________________ dw-discuss mailing list [email protected] http://lists.dwscoalition.org/cgi-bin/mailman/listinfo/dw-discuss
