[xwiki-devs] [Proposal] Support use of local and external JS libs with JSX
Hello, Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage " Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? " I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library. I would see something like : $jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX") or $jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX") What do you think ? Regards, Jerome.
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting declare their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs. This is not necessary incompatible with the proposition below, we could have both. Jerome. Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome. _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
Sergiu pointed to me this had already been discussed in this thread : http://markmail.org/message/nirue2ug5ahbsy5b I agree the security concerns are not very simple to deal with if we want to do this. Jerome. Jerome Velociter wrote:
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting declare their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome. _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
see below On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[email protected]> wrote:
Sergiu pointed to me this had already been discussed in this thread : http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we want to do this.
I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ? At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error... PAscal
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting declare their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome. _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
Pascal Voitot wrote:
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[email protected]> wrote:
Sergiu pointed to me this had already been discussed in this thread : http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we want to do this.
I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ?
At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error...
Yes, we should forbid <script> tags inside the content, and only allow jsx calls.
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting declare their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome.
-- Sergiu Dumitriu http://purl.org/net/sergiu/
On Wed, Nov 5, 2008 at 3:19 AM, Sergiu Dumitriu <[email protected]> wrote:
Pascal Voitot wrote:
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[email protected]> wrote:
Sergiu pointed to me this had already been discussed in this thread : http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we want to do this.
I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ?
At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error...
Yes, we should forbid <script> tags inside the content, and only allow jsx calls.
Last night, I was looking at the US elections asking myself how to make scripting more secure... It' s true: people are dangerous, they hate me and want to destroy my XWiki all the time. Conclusion: I must protect myself from everyone... While looking at the US elections, the US republicans inspired me The solution: an XWIKI BIG NUCLEAR SOFTWARE MASSDESTRUCTION WEAPON to nuke all users in one click if they bother me!!!!!!!! Yes, I will never give up against any terrorist!!!!!!!! I had even found a name for this new extension: XWiKill'emAll And finally, I fell asleep and I had a dreaaaaaaaaaaaaam that onnnnnnnnnnnnnnnne dayyyyy... And this morning, I wake up and I wonder if I'm still dreaming ;) Anyway, on this morning, I feel a bit less extremist about security: people might not be so evil and they don't hate me either... Maybe I don't need this XWiKill'emAll... just need to find big security holes that would attract the real evil guys and solve them... will be enough! That's why, I think I will just wander a bit around the scripting security issue to see if I don't find any other holes ;)... historical regards Pascal
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting
declare
their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome.
-- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
Pascal Voitot wrote:
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[email protected]> wrote:
Sergiu pointed to me this had already been discussed in this thread : http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we want to do this.
I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ?
At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error...
Yes, a white list would do the trick. Another idea would be to protect calls to external libs with programming rights in the plugin, thus transferring the responsibility to call only non malicious URLs to the developer(s). Jerome
PAscal
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting declare their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome. _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
participants (3)
-
Jerome Velociter -
Pascal Voitot -
Sergiu Dumitriu