Closed GoogleCodeExporter closed 9 years ago
What are the security concerns beyond what's normally raised by allowing
Javascript
or embeds like Flash? Are there special things which Gears enables that are
dangerous?
There might be good examples to follow here in the way that cookies are set,
with
optional sub-domain availability which should solve security concerns.
Flash also has a cross-domain model.
It's a separate discussion, but imagine the boost to web-wide performance that
could
be gained if widgets, stats JS, adsense, and such could be served from
LocalServer
even if the linking website wasn't Gears-enabled.
Original comment by mmm...@gmail.com
on 24 Jul 2008 at 2:32
Brad, there's a lot of discussion up there, can you help pin down the exact
feature
request?
I think the hope is to grant permission to a.com, and then not need a security
dialog
for b.com. However, since a.com and b.com are different security origins,
there is
no way for Gears to do that automatically.
The way to achieve this is for a.com to grant permission to b.com. That is
already
possible, using cross-origin workers.
One other solution I've seen: if foo.wp.com/admin redirected to
admin.wp.com/foo/,
then only admin.wp.com would need permissions.
Original comment by gears.te...@gmail.com
on 24 Jul 2008 at 8:00
Hi Chris, here is the request boiled down:
I have all my static resources on static.wordpress.com. On
myblog1.wordpress.com I
indicate that I want to store things in the LocalServer for
static.wordpress.com, get
the permission prompt, and say OK. Then, on my second blog at
myblog2.wordpress.com I
would like to have the _same_ performance improvements in LocalServer for
static.wordpress.com without another Gears permission dialog. I suggested
cross-domain workers but they don't solve the problem -- you still get the
permission
dialog on both myblog1 and myblog2.
Original comment by bradneub...@gmail.com
on 1 Aug 2008 at 5:43
I'm afraid I don't see any good way to do that. It would require breaking the
same-origin security model.
* WARNING: Granting permission via cross-origin workers may not work as you're
expecting. Let's say myblog1 grants permission to static, and static captures
its
resources. From there, _all_ requests to captured pages on
static.wordpress.com will
come from LocalServer -- even when requested by myblog2, which hasn't granted
permission yet!
In other words, myblog2 needs permission to call Gears APIs, but static already
has
permission and has captured (and is serving) resources.
* NOTE: The 'HTML5 Offline Apps' spec will let you capture resources in another
domain without a security prompt. In that case, the resources are only served
when
requested _from_ the page that captured them. However, I don't know if the
spec says
whether an implementation can re-use already captured files, or if it must
capture
them again from each origin.
Original comment by gears.te...@gmail.com
on 1 Aug 2008 at 6:05
Hi Chris, it sounds like what you suggest is actually the workaround: once
static.wordpress.com has been captured, even if I'm on myblog2.wordpress.com it
is
still 'accelerated'. The one issue is that there is no way to detect from
myblog2
that everything is already captured without giving a security prompt, is that
correct?
Original comment by bradneub...@gmail.com
on 1 Aug 2008 at 6:34
> The one issue is that there is no way to detect from myblog2
> that everything is already captured without giving a security prompt,
> is that correct?
That is correct. However...
If you only want to cache content on static.wordpress.com, I'd suggest not even
asking for Gears permission on myblog1 or myblog2. You should be able to load a
resource static.wordpress.com in an iframe, right? That's the "right" approach
to
this problem.
Original comment by gears.te...@gmail.com
on 1 Aug 2008 at 11:32
I'm not sure if an iframe is the right approach. WordPress uses a LocalServer to
cache all of the admin UI, which can't really be served from an iframe on
myblog1.wordpress.com and myblog2.wordpress.com. An iframe would be akward.
Original comment by bradneub...@gmail.com
on 1 Aug 2008 at 11:39
I'm only saying to use it for requesting permission for static.wordpress.com,
and
then calling into LocalServer.
Original comment by gears.te...@gmail.com
on 1 Aug 2008 at 11:58
That would work well if the browser sees the content as coming from one main
server.
However on WordPress.com (and probably other large sites) the browser sees the
content as coming from blog1.wordpress.com, blog2.wordpress.com, etc.
What we were trying to accomplish was to have Gears ask for permission for the
main
domain, then use the captured files on the sub-domains too without needing
second
permission.
This is similar to giving permission to site.com and then using the captured
content
on site.com/user1/, site.com/user2/, etc. (the current behavior). So giving
permission to site.com would use the captured content on user1.site.com,
user2.site.com, etc. without asking for new permission on each sub-domain.
Of course user1.site.com can have a different store and capture different
content
that will only be used on that sub-domain.
Original comment by aozem...@gmail.com
on 2 Aug 2008 at 7:26
Original issue reported on code.google.com by
bradneub...@gmail.com
on 23 Jul 2008 at 11:25