[Grok-dev] UPDATE recently created projects to 0.14.1

Jasper Spaans j at jasper.es
Sun Dec 21 17:24:28 EST 2008

Op 18 dec 2008, om 17:17 heeft Leonardo Rochael Almeida het volgende  

>>> That'd be a cross-domain request. Those are generally not very nice
>>> from
>>> a security perspective either. In fact I thought browsers generally
>>> don't allow this from Javascript to prevent cross site scripting
>>> attacks. How does Wordpress do it?
>> This could probably be done by some creative use of a css-file to  
>> hold
>> the data and having the javascript load and interpret the css file at
>> runtime.
> The usual solutions for blessed cross-domain are:
> 1. an iframe
> 2. JSONP [1]

Another option not requiring the use of javascript or iframes is a  
nice in-your-face gif which goes flashing red if your grok is  
outdated, for example by requesting something like 'http://grok.zope.org/ismygrokuptodate.gif?version=0.14.1' 
  and getting back an appropriate image. This does of course disclose  
which version of grok is being used (and thanks to the referrer url)  
on which site, so the grokmasters could play havoc with old versions.  
And, more importantly, it doesn't work for a simple nagios script.  
(Trainstorming leading to a cool idea: having a grok view for use with  
a nagios plugin, so you can get notified automatically if/when there's  
a security update)

However - my opinion is that this discussion is focussing on the wrong  
solution, I'd rather have a view(let) somewhere in the grok admin ui  
that can retrieve the current versions and warn if needed (and of  
course, this feature should be disabled by default).

(If the main argument against that is that it exposes the IP of  
servers to the g.z.o logfiles, please don't neglect the referrer of  
jsonp/iframes/images unless you're accessing the adminui from  
localhost (which isn't that weird if using an ssh-tunnel).)

Jasper Spaans                                          http://jasper.es/
              This line was last modified 0 seconds ago.

More information about the Grok-dev mailing list