- From: Bart Van der Donck <bart@xxxxxxxxxx>
- Date: Thu, 23 Oct 2008 05:34:05 -0700 (PDT)
Thomas 'PointedEars' Lahn wrote:
Bart Van der Donck wrote:
Nevertheless, those who have a domain of their own usually don't need your
script (as they can put .htaccess and friends), and those who don't have a
domain usually can't run your script on their server (who can't/won't afford
a domain usually can't get CGI and friends because there are just not enough
ads that would pay for it).
Access to a CGI-enabled directory is needed, yes, but not the own
domain. The script runs from/to any location that supports CGI written
So the latter group should be made aware that all their requests and
responses can be spied^Wlogged on, either by you (no offense meant, but a
statement of confidentiality is missing from your documentation),
I cannot view/spy/log the requests. The webserver where the script
runs, can. None of the 4284 downloads of the past years runs on my
machine (except the demo) so I cannot view or log anything.
or a man-in-the-middle because the connection is only partially encrypted
(from your server to the target host) at best.
Ajax Cross Domain can run over HTTPS or HTTP. It doesn't make a
difference. Also a combination is possible:
- caller file over HTTP and ACD.js over HTTPS
- caller file over HTTPS and ACD.js over HTTP (in this case, the
browser might give a warning, because a HTTPS page requests a HTTP
The requested remote file can use connections over http:, https:,
ftp:, news:, gopher: and a few (theoretical) others. It uses Gisle
Aas' LWP module:
There is also the inherent insecurity of passing sensitive data in URIs to
consider, since they end up in the local history and caches, proxy caches,
and default Web server logs.
Very true. The issue is described at the second paragraph of chapter
But I think the risk must not be exaggerated; it's indeed inherent for
this kind of requests as you write. It's not different with Apache
rewrite rules or proxies; they can all be eavesdropped as well.
IMHO the first paragraph about security ("Calling ACD.js is only
allowed with certain query-strings") is more important.
Not to mention the limitation of data to be transmitted because browsers
(and particularly that of the browser with still the greatest market
share, like it or not); BTW, that limit is at 2083 characters per URI in
IE, not 2048.
Yes, 2048 is the path size, not the full URL. It has been corrected.
Given these facts, I have to question the overall usefulness of your
script/service, even if your intentions may be good.
Google Analytics shows between 50-100 unique visitors per day, with
10-15 daily downloads of the script. I think that remote requests from
js reflect a real need from programmers.
Thanks for the feedback.
- Prev by Date: I need assistance using callback
- Next by Date: Events problems
- Previous by thread: Re: cross-domain
- Next by thread: Re: cross-domain