[development] jQuery 1.2 is released

[David Norman]

just brainstorming...

This is kind of sounding similar to the government deciding what's  
best for the people rather than the other way around. I agree it  
shouldn't automatically (read "by default"), but what about an option  
to turn on with a big, red warning label?

How about a page from Microsoft's OSs: "Download updates  
automatically, ask permission before installing".

On Sep 14, 2007, at 8:32 AM, Jeff Eaton wrote:

> This is very true. The concern that sparked this discussion  
> revolved around *automatically downloading* javascript files from a  
> *remote server* and automatically including them in Drupal's output  
> to end-users. Compromising remote servers in that scenario (as  
> happened with Wordpress) could easily result in jillions of Drupal  
> sites auto-downloading a compromised version of a js file and  
> 'reflecting' it out to all of their users.
>
> --Jeff
>
> On Sep 14, 2007, at 7:25 AM, Frando wrote:
>
>> JavaScript is different, though. For someone to exploit a Drupal  
>> site by
>> saving a modified, malicious JavaScript file at a path where it gets
>> included in every request, he needs a major security hole in the  
>> site (one
>> that allows him to save random files at random paths). Given that  
>> security
>> hole, he most likely has already other ways to add random, malicious
>> JavaScript to every page request (He could e.g. add a PHP block  
>> with no
>> title and text to each page which then includes the malicious  
>> JavaScript. He
>> could also add the JavaScript to the aggregated CSS file, which  
>> also lives
>> in the writeable file directory. JavaScript in CSS files gets  
>> executed by
>> most modern browsers.).
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2450 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/development/attachments/20070914/589eca32/attachment-0001.bin