Doing a url structure based on subdomains is a valid feature and
technically you can already do it with Roller (with a little code
modification), but I do not see this is a feature we will ever impose on
people. The fact is that you can't expect everyone to want to do this
subdomain url structure and the software shouldn't try and force that on
people.
I think we are all agreed that Roller should be as secure as possible,
so thinking of other ways to mitigate the problem is important, but
unless I am misunderstanding what you are proposing, that would never be
the default behavior for Roller.
-- Allen
rob wrote:
One of the things we would like to see in Roller 4.0 is the ability for
a blog to be in its own domain.
We have been investigating the XSS vulnerabilities inherent in any site
that allows user submitted content (e.g. themes, blog posts, comments).
Roller is pretty vulnerable at the moment to XSS attacks and placing
each blog in its own domain is one of the first steps necessary to
better mitigate the risks of an attack.
This seems to be a well understood problem and details of what
livejournal had to do is here http://news.livejournal.com/90556.html and
here
http://www.davidpashley.com/cgi/pyblosxom.cgi/computing/livejournal-mozilla-bug.html.
Could this be considered for roller 4.0. It's pretty significant as
once again the url structure needs to change and it can only really be
achieved in conjunction with apache virtual hosts,
Thanks,
Rob
