[Grok-dev] UPDATE recently created projects to 0.14.1
Jasper Spaans
j at jasper.es
Sun Dec 21 17:24:28 EST 2008
Op 18 dec 2008, om 17:17 heeft Leonardo Rochael Almeida het volgende
geschreven:
>>> That'd be a cross-domain request. Those are generally not very nice
>>> from
>>> a security perspective either. In fact I thought browsers generally
>>> don't allow this from Javascript to prevent cross site scripting
>>> attacks. How does Wordpress do it?
>>>
>>
>> This could probably be done by some creative use of a css-file to
>> hold
>> the data and having the javascript load and interpret the css file at
>> runtime.
> The usual solutions for blessed cross-domain are:
>
> 1. an iframe
> 2. JSONP [1]
Another option not requiring the use of javascript or iframes is a
nice in-your-face gif which goes flashing red if your grok is
outdated, for example by requesting something like 'http://grok.zope.org/ismygrokuptodate.gif?version=0.14.1'
and getting back an appropriate image. This does of course disclose
which version of grok is being used (and thanks to the referrer url)
on which site, so the grokmasters could play havoc with old versions.
And, more importantly, it doesn't work for a simple nagios script.
(Trainstorming leading to a cool idea: having a grok view for use with
a nagios plugin, so you can get notified automatically if/when there's
a security update)
However - my opinion is that this discussion is focussing on the wrong
solution, I'd rather have a view(let) somewhere in the grok admin ui
that can retrieve the current versions and warn if needed (and of
course, this feature should be disabled by default).
(If the main argument against that is that it exposes the IP of
servers to the g.z.o logfiles, please don't neglect the referrer of
jsonp/iframes/images unless you're accessing the adminui from
localhost (which isn't that weird if using an ssh-tunnel).)
Jasper
--
Jasper Spaans http://jasper.es/
This line was last modified 0 seconds ago.
More information about the Grok-dev
mailing list