30 Oct
2008
30 Oct
'08
12:58 p.m.
Hello,
Following the open question #1 here
http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
"
Open question 1: Should $jsx.useFile("filename.js") work for files
located on the disk? This allows the same pull process to be used with
files located in the skin, without requiring SX documents and objects.
I'd say yes. Then, what should the URL look like?
/xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
"
I would like to propose to go even further, and to allow injection of
script tags referring libraries on the cloud or on a different server
using the jsx plugin. This would allow to not have users writing scripts
tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards,
Jerome.
30 Oct
30 Oct
4:16 p.m.
I'm now thinking about another possibility : letting the actual
extensions (documents with JavaScriptExtensions objects) letting declare
their libraries dependencies. We could create a new class for this,
which would have the path (absolute in case the file is distant, or name
of the file if it's on the FS) as a property. This way an extension can
declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could
have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here
http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
"
Open question 1: Should $jsx.useFile("filename.js") work for files
located on the disk? This allows the same pull process to be used with
files located in the skin, without requiring SX documents and objects.
I'd say yes. Then, what should the URL look like?
/xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
"
I would like to propose to go even further, and to allow injection of
script tags referring libraries on the cloud or on a different server
using the jsx plugin. This would allow to not have users writing scripts
tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
3 Nov
3 Nov
8:44 a.m.
Sergiu pointed to me this had already been discussed in this thread :
http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we
want to do this.
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility :
letting the actual
extensions (documents with JavaScriptExtensions objects) letting declare
their libraries dependencies. We could create a new class for this,
which would have the path (absolute in case the file is distant, or name
of the file if it's on the FS) as a property. This way an extension can
declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could
have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here
http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
"
Open question 1: Should $jsx.useFile("filename.js") work for files
located on the disk? This allows the same pull process to be used with
files located in the skin, without requiring SX documents and objects.
I'd say yes. Then, what should the URL look like?
/xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
"
I would like to propose to go even further, and to allow injection of
script tags referring libraries on the cloud or on a different server
using the jsx plugin. This would allow to not have users writing scripts
tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs 
5 Nov
5 Nov
3 a.m.
New subject: [xwiki-devs] [Proposal] Support use of local and external JS libs with JSX
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <jerome(a)xwiki.com> wrote:
Sergiu pointed to me this had already been discussed
in this thread :
http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we
want to do this.
I'm currently thinking about this...
XSS is really ennoying :)...
but we fear about the JSX extension but is there any security against JS
injection in any Wiki page ?
At least, JSX could be used as a kind of firewall...
imagine we create some JSX configuration parameters such as "Allowed JSX
external URLs"... (this is just an idea :) )...
Then when you call $jsx.use(externalurl), it is rendered by the JSX
extension which would verify the URL is allowed and if not would generate an
error...
PAscal
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility :
letting the actual
extensions (documents with JavaScriptExtensions objects) letting declare
their libraries dependencies. We could create a new class for this,
which would have the path (absolute in case the file is distant, or name
of the file if it's on the FS) as a property. This way an extension can
declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could
have both.
Jerome.
Jerome Velociter wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Hello,
Following the open question #1 here
http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
"
Open question 1: Should $jsx.useFile("filename.js") work for files
located on the disk? This allows the same pull process to be used with
files located in the skin, without requiring SX documents and objects.
I'd say yes. Then, what should the URL look like?
/xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
"
I would like to propose to go even further, and to allow injection of
script tags referring libraries on the cloud or on a different server
using the jsx plugin. This would allow to not have users writing scripts
tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs 
3:19 a.m.
New subject: [xwiki-devs] [Proposal] Support use of local and external JS libs with JSX
Pascal Voitot wrote:
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <jerome(a)xwiki.com> wrote:
Yes, we should forbid <script> tags inside the content, and only allow
jsx calls.
Sergiu pointed to me this had already been
discussed in this thread :
http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we
want to do this.
I'm currently thinking about this...
XSS is really ennoying :)...
but we fear about the JSX extension but is there any security against JS
injection in any Wiki page ?
At least, JSX could be used as a kind of firewall...
imagine we create some JSX configuration parameters such as "Allowed JSX
external URLs"... (this is just an idea :) )...
Then when you call $jsx.use(externalurl), it is rendered by the JSX
extension which would verify the URL is allowed and if not would generate an
error...
> Jerome.
>
> Jerome Velociter wrote:
>> I'm now thinking about another possibility : letting the actual
>> extensions (documents with JavaScriptExtensions objects) letting declare
>> their libraries dependencies. We could create a new class for this,
>> which would have the path (absolute in case the file is distant, or name
>> of the file if it's on the FS) as a property. This way an extension can
>> declare as many deps as it needs.
>>
>> This is not necessary incompatible with the proposition below, we could
>> have both.
>>
>> Jerome.
>>
>> Jerome Velociter wrote:
>>> Hello,
>>>
>>> Following the open question #1 here
>>> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
>>>
>>> "
>>> Open question 1: Should $jsx.useFile("filename.js") work for files
>>> located on the disk? This allows the same pull process to be used with
>>> files located in the skin, without requiring SX documents and objects.
>>> I'd say yes. Then, what should the URL look like?
>>> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
>>> "
>>>
>>> I would like to propose to go even further, and to allow injection of
>>> script tags referring libraries on the cloud or on a different server
>>> using the jsx plugin. This would allow to not have users writing scripts
>>> tags in the body of the document to add a library.
>>>
>>> I would see something like :
>>>
>>>
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
>>>
>>> or
>>>
>>>
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
>>>
>>> What do you think ?
>>>
>>> Regards,
>>> Jerome.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
10:03 a.m.
New subject: [xwiki-devs] [Proposal] Support use of local and external JS libs with JSX
On Wed, Nov 5, 2008 at 3:19 AM, Sergiu Dumitriu <sergiu(a)xwiki.com> wrote:
Pascal Voitot wrote:
an
Last night, I was looking at the US elections asking myself how to make
scripting more secure... It' s true: people are dangerous, they hate me and
want to destroy my XWiki all the time. Conclusion: I must protect myself
from everyone...
While looking at the US elections, the US republicans inspired me The
solution: an XWIKI BIG NUCLEAR SOFTWARE MASSDESTRUCTION WEAPON to nuke all
users in one click if they bother me!!!!!!!! Yes, I will never give up
against any terrorist!!!!!!!! I had even found a name for this new
extension: XWiKill'emAll
And finally, I fell asleep and I had a dreaaaaaaaaaaaaam that
onnnnnnnnnnnnnnnne dayyyyy...
And this morning, I wake up and I wonder if I'm still dreaming ;)
Anyway, on this morning, I feel a bit less extremist about security: people
might not be so evil and they don't hate me either... Maybe I don't need
this XWiKill'emAll... just need to find big security holes that would
attract the real evil guys and solve them... will be enough!
That's why, I think I will just wander a bit around the scripting security
issue to see if I don't find any other holes ;)...
historical regards
Pascal
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <jerome(a)xwiki.com>
wrote:
Sergiu pointed to me this had already been
discussed in this thread :
http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we
want to do this.
I'm currently thinking about this...
XSS is really ennoying :)...
but we fear about the JSX extension but is there any security against JS
injection in any Wiki page ?
At least, JSX could be used as a kind of firewall...
imagine we create some JSX configuration parameters such as "Allowed JSX
external URLs"... (this is just an idea :) )...
Then when you call $jsx.use(externalurl), it is rendered by the JSX
extension which would verify the URL is allowed and if not would generate error...
Yes, we should forbid <script> tags inside the content, and only allow
jsx calls.
> Jerome.
>
> Jerome Velociter wrote:
>> I'm now thinking about another possibility : letting the actual
>> extensions (documents with JavaScriptExtensions objects) letting
declare
>> their libraries dependencies. We could
create a new class for this,
>> which would have the path (absolute in case the file is distant, or
name
>> of the file if it's on the FS) as a
property. This way an extension can
>> declare as many deps as it needs.
>>
>> This is not necessary incompatible with the proposition below, we could
>> have both.
>>
>> Jerome.
>>
>> Jerome Velociter wrote:
>>> Hello,
>>>
>>> Following the open question #1 here
>>> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
>>>
>>> "
>>> Open question 1: Should $jsx.useFile("filename.js") work for files
>>> located on the disk? This allows the same pull process to be used with
>>> files located in the skin, without requiring SX documents and objects.
>>> I'd say yes. Then, what should the URL look like?
>>> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
>>> "
>>>
>>> I would like to propose to go even further, and to allow injection of
>>> script tags referring libraries on the cloud or on a different server
>>> using the jsx plugin. This would allow to not have users writing
scripts
>>> tags in the body of the document to
add a library.
>>>
>>> I would see something like :
>>>
>>>
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
>>>
>>> or
>>>
>>>
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
>>>
>>> What do you think ?
>>>
>>> Regards,
>>> Jerome.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
9:39 a.m.
New subject: [xwiki-devs] [Proposal] Support use of local and external JS libs with JSX
Pascal Voitot wrote:
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <jerome(a)xwiki.com> wrote:
Yes, a white list would do the trick.
Another idea would be to protect calls to external libs with programming
rights in the plugin, thus transferring the responsibility to call only
non malicious URLs to the developer(s).
Jerome
Sergiu pointed to me this had already been
discussed in this thread :
http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we
want to do this.
I'm currently thinking about this...
XSS is really ennoying :)...
but we fear about the JSX extension but is there any security against JS
injection in any Wiki page ?
At least, JSX could be used as a kind of firewall...
imagine we create some JSX configuration parameters such as "Allowed JSX
external URLs"... (this is just an idea :) )...
Then when you call $jsx.use(externalurl), it is rendered by the JSX
extension which would verify the URL is allowed and if not would generate an
error...
PAscal
Jerome.
Jerome Velociter wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
I'm now thinking about another possibility :
letting the actual
extensions (documents with JavaScriptExtensions objects) letting declare
their libraries dependencies. We could create a new class for this,
which would have the path (absolute in case the file is distant, or name
of the file if it's on the FS) as a property. This way an extension can
declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could
have both.
Jerome.
Jerome Velociter wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Hello,
Following the open question #1 here
http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
"
Open question 1: Should $jsx.useFile("filename.js") work for files
located on the disk? This allows the same pull process to be used with
files located in the skin, without requiring SX documents and objects.
I'd say yes. Then, what should the URL look like?
/xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
"
I would like to propose to go even further, and to allow injection of
script tags referring libraries on the cloud or on a different server
using the jsx plugin. This would allow to not have users writing scripts
tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
5847
days inactive
5853
days old
6 comments
3 participants
participants (3)
-
Jerome Velociter -
Pascal Voitot -
Sergiu Dumitriu