just brainstorming... This is kind of sounding similar to the government deciding what's best for the people rather than the other way around. I agree it shouldn't automatically (read "by default"), but what about an option to turn on with a big, red warning label? How about a page from Microsoft's OSs: "Download updates automatically, ask permission before installing". On Sep 14, 2007, at 8:32 AM, Jeff Eaton wrote:
This is very true. The concern that sparked this discussion revolved around *automatically downloading* javascript files from a *remote server* and automatically including them in Drupal's output to end-users. Compromising remote servers in that scenario (as happened with Wordpress) could easily result in jillions of Drupal sites auto-downloading a compromised version of a js file and 'reflecting' it out to all of their users.
--Jeff
On Sep 14, 2007, at 7:25 AM, Frando wrote:
JavaScript is different, though. For someone to exploit a Drupal site by saving a modified, malicious JavaScript file at a path where it gets included in every request, he needs a major security hole in the site (one that allows him to save random files at random paths). Given that security hole, he most likely has already other ways to add random, malicious JavaScript to every page request (He could e.g. add a PHP block with no title and text to each page which then includes the malicious JavaScript. He could also add the JavaScript to the aggregated CSS file, which also lives in the writeable file directory. JavaScript in CSS files gets executed by most modern browsers.).