[p2pu-dev] [jsFiddle] Zalun - Thanks for your comment re /show/
zuzel.vp
zuzel.vp at gmail.com
Wed Apr 13 15:23:46 UTC 2011
Hi Piotr,
Thanks for your email. Will you recommend
http://doc.jsfiddle.net/use/embedding.html as a non-xss way to embed
jsfiddle? I am somehow concerned about Dan's efforts of pass a user
identity or access token from the host page to the embedded fiddle
(maybe a rest api with oauth will support better the useful features
needed by Dan).
--
Thanks,
Zuzel
On Wed, Apr 13, 2011 at 10:36 AM, Piotr Zalewa <zaloon at gmail.com> wrote:
> Dan,
>
> There are 2 issues.
>
> 1. It's undocummented as it may be changed in the future
> 2. Use of the jsfiddle.net to display unwrapped result isn't secure.
> This code has access to cookies from that domain and may be used
> to steal user session. Therefore I'm considering blocking the ability
> to display /show/ from jsfiddle.net domain. Malicious JavaScript
> placed on some blog may lead to a massive session break ins.
>
> I'm planning to add the /result/ as described here:
> https://github.com/jsfiddle/jsfiddle-docs-alpha/issues/32
> If you think it's a better idea, I'll add it as soon as possible.
>
> Watermark is not a solution as it would involve adding code by jsFiddle
> to the example, which I'd rather not do.
>
> If you'd request some code to be added to the site I'm more than happy
> to add it. Please use the
> https://github.com/jsfiddle/jsfiddle-docs-alpha/issues/
>
> One may achieve current username from jsfiddle.net by using the
> http://jsfiddle.net/user/get_username/ (ouch! just realized I haven't
> added this to the documentation, I'll fix it in a second)
>
> zalun
>
> On 04/13/11 14:59, Dan Diebolt wrote:
>> @Zalun, thanks for your comment regarding the use of the /show/ url at
>> this site that I am involved with:
>>
>> http://p2pu.org/webcraft/node/27443/document/27537
>>
>> As you can see from the other examples on that page we have been trying
>> to demonstrate (a) the extremely wide range of ways in which jsFiddle
>> can be used in collaborative open learning scenarios as well as (b)
>> finding technical ways to embed jsFiddle into somewhat "uncooperative"
>> host platforms such as blogs, social hubs, content management systems
>> and learning management systems. I say "uncooperative" from the
>> perspective of the host platform not envisioning inclusion of jsFiddle
>> in terms of (a) embed mechanism [<iframe>, <object>, <script>, <applet>,
>> <embed>], (b) adequate layout space, (c) classic "trapped in frame"
>> issue, (d) Cross-site scripting concerns etc. Also I have been looking
>> at ways in which an embedded fiddle can receive or pull information from
>> its host container page despite the same origin policy. It would be
>> extremely helpful for example to be able to safely pass a user identity
>> or access token from the host page to the embedded fiddle (postMessage
>> maybe). This way the embedded fiddle could actually act as a tool to
>> perform some useful function such as displaying
>> information retrieved from an external data source but tied to the user
>> identity or session in the host platform. Ultimately I believe all these
>> things are possible now using some of those advanced techniques I
>> outlined in a previous post but it depends on what capabilities the host
>> platform happen to supports.
>>
>> Also in regard to the /show/ suffix, I have seen no problem whatsoever
>> using it. The concern isn't so much debranding and removing the chrome
>> but rather getting the fiddle to embed nicely in the host page without
>> taking up unnecessary space. I would prefer a watermark inside the
>> jsfiddle to preserve branding and identity as the bar across the top
>> simply takes up too much space (embedding jsdo.it <http://jsdo.it> takes
>> up way to much space).
>>
>> ==============
>> Cross-Domain Communication with IFrames
>> http://softwareas.com/cross-domain-communication-with-iframes
>>
>> easyXDM: Cross-Domain Messaging Made Easy
>> http://easyxdm.net/
>>
>> Breaking The Cross Domain Barrier
>> http://www.slideshare.net/SlexAxton/breaking-the-cross-domain-barrier
>>
>> Scripting Iframes - Tutorial and Examples
>> http://www.dyn-web.com/tutorials/iframes/
>>
>> --
>> Documentation: http://doc.jsfiddle.net/
>> Blog: http://blog.jsfiddle.net/
>> ------------------------------------------------------
>> To post to this group, send email to jsfiddle-users at googlegroups.com
>> To unsubscribe, send email to jsfiddle-users+unsubscribe at googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/jsfiddle-users?hl=en-GB
>
>
> --
> blog http://piotr.zalewa.info
> fidd http://jsfiddle.net/user/zalun/
> twit http://twitter.com/zalun
> face http://facebook.com/zaloon
> _______________________________________________
> p2pu-dev mailing list
> p2pu-dev at lists.p2pu.org
> http://lists.p2pu.org/mailman/listinfo/p2pu-dev
>
More information about the p2pu-dev
mailing list