[p2pu-dev] [jsFiddle] Zalun - Thanks for your comment re /show/

Piotr Zalewa zaloon at gmail.com
Wed Apr 13 14:36:29 UTC 2011


Dan,

There are 2 issues.

1. It's undocummented as it may be changed in the future
2. Use of the jsfiddle.net to display unwrapped result isn't secure.
   This code has access to cookies from that domain and may be used
   to steal user session. Therefore I'm considering blocking the ability
   to display /show/ from jsfiddle.net domain. Malicious JavaScript
   placed on some blog may lead to a massive session break ins.

I'm planning to add the /result/ as described here:
https://github.com/jsfiddle/jsfiddle-docs-alpha/issues/32
If you think it's a better idea, I'll add it as soon as possible.

Watermark is not a solution as it would involve adding code by jsFiddle
to the example, which I'd rather not do.

If you'd request some code to be added to the site I'm more than happy
to add it. Please use the
https://github.com/jsfiddle/jsfiddle-docs-alpha/issues/

One may achieve current username from jsfiddle.net by using the
http://jsfiddle.net/user/get_username/ (ouch! just realized I haven't
added this to the documentation, I'll fix it in a second)

zalun

On 04/13/11 14:59, Dan Diebolt wrote:
> @Zalun, thanks for your comment regarding the use of the /show/ url at
> this site that I am involved with:
> 
> http://p2pu.org/webcraft/node/27443/document/27537
> 
> As you can see from the other examples on that page we have been trying
> to demonstrate (a) the extremely wide range of ways in which jsFiddle
> can be used  in collaborative open learning scenarios as well as (b)
> finding technical ways to embed jsFiddle into somewhat "uncooperative"
> host platforms such as blogs, social hubs, content management systems
> and learning management systems. I say "uncooperative" from the
> perspective of the host platform not envisioning inclusion of jsFiddle
> in terms of (a) embed mechanism [<iframe>, <object>, <script>, <applet>,
> <embed>], (b) adequate layout space, (c) classic "trapped in frame"
> issue, (d) Cross-site scripting concerns etc. Also I have been looking
> at ways in which an embedded fiddle can receive or pull information from
> its host container page despite the same origin policy. It would be
> extremely helpful for example to be able to safely pass a user identity
> or access token from the host page to the embedded fiddle (postMessage
> maybe). This way the embedded fiddle could actually act as a tool to
> perform some useful function such as displaying
> information retrieved from an external data source but tied to the user
> identity or session in the host platform. Ultimately I believe all these
> things are possible now using some of those advanced techniques I
> outlined in a previous post but it depends on what capabilities the host
> platform happen to supports.
> 
> Also in regard to the /show/ suffix, I have seen no problem whatsoever
> using it. The concern isn't so much debranding and removing the chrome
> but rather getting the fiddle to embed nicely in the host page without
> taking up unnecessary space. I would prefer a watermark inside the
> jsfiddle to preserve branding and identity as the bar across the top
> simply takes up too much space (embedding jsdo.it <http://jsdo.it> takes
> up way to much space).
> 
> ==============
> Cross-Domain Communication with IFrames
> http://softwareas.com/cross-domain-communication-with-iframes
> 
> easyXDM: Cross-Domain Messaging Made Easy
> http://easyxdm.net/
> 
> Breaking The Cross Domain Barrier
> http://www.slideshare.net/SlexAxton/breaking-the-cross-domain-barrier
> 
> Scripting Iframes - Tutorial and Examples
> http://www.dyn-web.com/tutorials/iframes/
> 
> -- 
> Documentation: http://doc.jsfiddle.net/
> Blog: http://blog.jsfiddle.net/
> ------------------------------------------------------
> To post to this group, send email to jsfiddle-users at googlegroups.com
> To unsubscribe, send email to jsfiddle-users+unsubscribe at googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/jsfiddle-users?hl=en-GB


-- 
blog  http://piotr.zalewa.info
fidd  http://jsfiddle.net/user/zalun/
twit  http://twitter.com/zalun
face  http://facebook.com/zaloon


More information about the p2pu-dev mailing list