> On July 8, 2014, 1:18 a.m., Kevin Sweeney wrote:
> > src/main/python/apache/thermos/observer/http/templates/filebrowse.tpl, line 
> > 62
> > <https://reviews.apache.org/r/23329/diff/1/?file=625207#file625207line62>
> >
> >     -1, this is pretty much unacceptable from a security standpoint - data 
> > visible to the observer origin includes sensitive application logs
> >     
> >     -1 from a reliability standpoint as well - the observer is used to 
> > debug low-level infrastructure and a dependency on an external CDN doesn't 
> > work for that.

Thermos serves its static content (including the bundled jquery) and logs over 
http, in clear text... that's a bigger security risk, no?

I understand why you wouldn't trust any old CDN, but why can't we trust 
Google's?

We could instead use the local copy as a fallback:

<script 
src="//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script>window.jQuery || document.write('<script 
src="/assets/jquery.js">\x3C/script>')</script>


- David


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/23329/#review47428
-----------------------------------------------------------


On July 8, 2014, 1:08 a.m., David Robinson wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/23329/
> -----------------------------------------------------------
> 
> (Updated July 8, 2014, 1:08 a.m.)
> 
> 
> Review request for Aurora, David McLaughlin and Brian Wickman.
> 
> 
> Bugs: AURORA-578
>     https://issues.apache.org/jira/browse/AURORA-578
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> remove embedded jquery
> 
> 
> Diffs
> -----
> 
>   src/main/python/apache/thermos/observer/http/assets/jquery.js 
> 3774ff986139c8a7534e14bc8987fe80418dcc1b 
>   src/main/python/apache/thermos/observer/http/templates/filebrowse.tpl 
> 511d7c06206ae5fd8a4206683f09348e1276b8c4 
>   src/main/python/apache/thermos/observer/http/templates/index.tpl 
> 3ccb6e841c932cb8bcb43b765e0b5aa8bc567f88 
>   src/main/python/apache/thermos/observer/http/templates/logbrowse.tpl 
> b182a4b331fbe8b9dd437194d195d220184a2f7c 
> 
> Diff: https://reviews.apache.org/r/23329/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> David Robinson
> 
>

Reply via email to