Re: [Jmol-users] proposed change to Jmol.js
I've put up a proposed change to Jmol.js. Please check it out. The idea is that we would be able to test sites using different Jar files. The comment in the Jar file reads: // Note added 12:41 PM 9/21/2008 by Bob Hanson, [EMAIL PROTECTED]: // JMOLJAR=x.jar on the URL for this page will override // the JAR file specified in the jmolInitialize() call. // The idea is that it can be very useful to test a web page with different JAR files // Or for an expert user to substitute a signed applet for an unsigned one // so as to use a broader range of models or to create JPEG files, for example. // If the JAR file is not in the current directory (has any sort of / in its name) // then the user is presented with a warning and asked whether it is OK to change Jar files. // The default action, if the user just presses OK is to NOT allow the change. // The user must type the word yes in the prompt box for the change to be approved. // If you don't want people to be able to switch in their own JAR file on your page, // simply set this next line to read var allowJMOLJAR = false. You can try it out using URLs such as these: http://chemapps.stolaf.edu/jmol/docs/examples-11/new.htm?JMOLJAR=./JmolApplet.jar http://chemapps.stolaf.edu/jmol/docs/examples-11/new.htm?JMOLJAR=./JmolAppletSigned.jar Bob On Mon, Sep 1, 2008 at 10:03 AM, Robert Hanson [EMAIL PROTECTED] wrote: OK. Others have comments on this? Bob On Mon, Sep 1, 2008 at 9:58 AM, Rolf Huehne [EMAIL PROTECTED]wrote: Robert Hanson wrote: One more thought on this: What about an option that allows the replacement of the Jar file but first prompts the user for an OK (using JavaScript prompt() ) and explains why this might be an issue? If the user says it is OK, then the Jar file is used? Accepting should not be the default and then I think it should be ok. If it is integrated the possible consequences should be pointed out clearly in the documentation of 'Jmol.js'. And it should be easily removable by people who don't like to take the risk. Regards, Rolf - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
Robert Hanson wrote: One more thought on this: What about an option that allows the replacement of the Jar file but first prompts the user for an OK (using JavaScript prompt() ) and explains why this might be an issue? If the user says it is OK, then the Jar file is used? Accepting should not be the default and then I think it should be ok. If it is integrated the possible consequences should be pointed out clearly in the documentation of 'Jmol.js'. And it should be easily removable by people who don't like to take the risk. Regards, Rolf - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
OK. Others have comments on this? Bob On Mon, Sep 1, 2008 at 9:58 AM, Rolf Huehne [EMAIL PROTECTED] wrote: Robert Hanson wrote: One more thought on this: What about an option that allows the replacement of the Jar file but first prompts the user for an OK (using JavaScript prompt() ) and explains why this might be an issue? If the user says it is OK, then the Jar file is used? Accepting should not be the default and then I think it should be ok. If it is integrated the possible consequences should be pointed out clearly in the documentation of 'Jmol.js'. And it should be easily removable by people who don't like to take the risk. Regards, Rolf - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
One more thought on this: What about an option that allows the replacement of the Jar file but first prompts the user for an OK (using JavaScript prompt() ) and explains why this might be an issue? If the user says it is OK, then the Jar file is used? Bob On Sat, Aug 30, 2008 at 2:43 PM, [EMAIL PROTECTED] wrote: Quoting Robert Hanson [EMAIL PROTECTED]: ok. Shucks. That's convincing. OK if it allows same-server jar changes? Yes, I think so. If the server is compromised then I guess it won't make much difference anyhow. Regards, Rolf This message was sent using IMP, the Internet Messaging Program. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
I'm working with them -- they are mostly waiting for 11.6 to be stable. Then they will go to that. Bob On Sat, Aug 30, 2008 at 7:29 AM, Angel Herráez [EMAIL PROTECTED] wrote: One of the interesting aspects is that I could use JMOLJAR= http://chemapps.stolaf.edu/jmol/docs/examples-11/JmolAppletSigned.jar for example to go to the PDB website and use MY applet instead of theirs. Assuming that they update their Jmol.js file!!! They are still using 10.2, and I think there have been requests for update already, to no avail - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
RCSB beta site is using Jmol 11.4. See for example: http://betastaging.rcsb.org/pdb/static.do?p=explorer/viewers/jmol.jsp?structureId=1O1I Current version there is 11.4.6, I think. On Sat, Aug 30, 2008 at 8:08 AM, Robert Hanson [EMAIL PROTECTED] wrote: I'm working with them -- they are mostly waiting for 11.6 to be stable. Then they will go to that. Bob On Sat, Aug 30, 2008 at 7:29 AM, Angel Herráez [EMAIL PROTECTED]wrote: One of the interesting aspects is that I could use JMOLJAR= http://chemapps.stolaf.edu/jmol/docs/examples-11/JmolAppletSigned.jar for example to go to the PDB website and use MY applet instead of theirs. Assuming that they update their Jmol.js file!!! They are still using 10.2, and I think there have been requests for update already, to no avail - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
Quoting Robert Hanson [EMAIL PROTECTED]: One of the interesting aspects is that I could use JMOLJAR= http://chemapps.stolaf.edu/jmol/docs/examples-11/JmolAppletSigned.jar for example to go to the PDB website and use MY applet instead of theirs. Bob, have you tried that already? If this is allowed it would be exactly what should pe prevented within Jmol.js! It should only be allowed to load a different Jmol version from the same server! Otherwise anyone could use your/our service by 'URL Spoofing' to deliver an evil Jmol applet (or even a totally different applet) to the user!!! Regards, Rolf This message was sent using IMP, the Internet Messaging Program. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
that's why I'm asking. Yes, I have tried this. We could make it only the applet from the server -- in other words not allow a new codebase -- if you think that is a major concern. How would you see the spoof working, Rolf? Bob On Sat, Aug 30, 2008 at 12:56 PM, [EMAIL PROTECTED] wrote: Quoting Robert Hanson [EMAIL PROTECTED]: One of the interesting aspects is that I could use JMOLJAR= http://chemapps.stolaf.edu/jmol/docs/examples-11/JmolAppletSigned.jar for example to go to the PDB website and use MY applet instead of theirs. Bob, have you tried that already? If this is allowed it would be exactly what should pe prevented within Jmol.js! It should only be allowed to load a different Jmol version from the same server! Otherwise anyone could use your/our service by 'URL Spoofing' to deliver an evil Jmol applet (or even a totally different applet) to the user!!! Regards, Rolf This message was sent using IMP, the Internet Messaging Program. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
Quoting Robert Hanson [EMAIL PROTECTED]: that's why I'm asking. Yes, I have tried this. We could make it only the applet from the server -- in other words not allow a new codebase -- if you think that is a major concern. How would you see the spoof working, Rolf? The HTML code shown below just hides the 'JMOLJAR=...' extension within the status line. Althugh my Firefox 3 does show the real URL, even when I exceptionally allow status line changes, it still works with my Internet Eplorer 7. And this is just the most simple way. There are more sophisticated techniques possible. a href=http://www.imb-jena.de/cgi-bin/3d_mapping.pl?CODE=1dehMODE=biological1JMOLJAR=http://www.fakejenalib.com/fakejmol.jar; onmouseout=window.status='';return true onmouseover=window.status='http://www.imb-jena.de/cgi-bin/3d_mapping.pl?CODE=1dehMODE=biological1';return trueJenaLib Jmol Viewer/a Since it may be possible that the complete version is only shown as links here is a (modified) repeat of the Javascript portion: onmouseout=window.status='';return true onmouseover=window.status='original_URL';return true Regards, Rolf This message was sent using IMP, the Internet Messaging Program. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] proposed change to Jmol.js
Quoting Robert Hanson [EMAIL PROTECTED]: ok. Shucks. That's convincing. OK if it allows same-server jar changes? Yes, I think so. If the server is compromised then I guess it won't make much difference anyhow. Regards, Rolf This message was sent using IMP, the Internet Messaging Program. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
[Jmol-users] proposed change to Jmol.js
I'd like to propose a change to Jmol.js. The change would be an addition. If the page URL contains JMOLJAR= then Jmol.js would be instructed to ignore the jmolInitialize() command and instead use the codebase directory and jar file as defined after that tag. For example: http://chemapps.stolaf.edu/jmol/docs/examples-11/new.htm?JMOLJAR=./JmolAppletSigned.jar This would allow quick checking of sites with different JAR files. Bob -- Robert M. Hanson Professor of Chemistry St. Olaf College Northfield, MN http://www.stolaf.edu/people/hansonr If nature does not answer first what we want, it is better to take what answer we get. -- Josiah Willard Gibbs, Lecture XXX, Monday, February 5, 1900 - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users