search

fgnass / spin.js

A spinning activity indicator
http://spin.js.org
MIT License
9.3k stars 1.02k forks source link

spin.js and spin.min.js missing in the latest version #357

Closed vthakre83 closed 6 years ago

vthakre83 commented 6 years ago

Hi team, I tried to use the version Spin.js 3.1.0, its not having all the files needed in the zipped format spin.js spin.min.js files are missing from the zip file. I tried to use the spin.min.js file also from the forum and it shows that the file is just 1KB in size the actual file. Please let me know where I can get the latest files if this is not the correct place. The reason to use the latest version and not 2.3.2 is the blackduck vulnerability finding on the 2.3.2 version.

regards, Vikrant

theodorejb commented 6 years ago

What "blackduck vulnerability" are you referring to? spin.js 3.x is written in TypeScript, so the compiled JavaScript files are intentionally excluded from the repository. You can clone and build this repository to get a compiled JavaScript file, or else install it from npm.

Did you read the installation instructions on http://spin.js.org? spin.js is not pre-minified, but if you are using the Webpack or Rollup module bundler as recommended, you can fairly easily minify your entire bundle for production.

vthakre83 commented 6 years ago

Thanks Theodorejb,

I will try to get the files through the steps mentioned.

Below is the description XSS vulnerability on version 2.3.2 detected by Blackduck scan. spin.js contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the interaction between the script and a Content Security Policy (CSP) does not validate input before returning it to users. This may allow an attacker to create a specially crafted request that will execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

On Thu, Mar 29, 2018 at 11:59 AM, Theodore Brown notifications@github.com wrote:

What "blackduck vulnerability" are you referring to? spin.js 3.x is written in TypeScript, so the compiled JavaScript files are intentionally excluded from the repository. You can clone and build this repository to get a compiled JavaScript file, or else install it from npm.

Did you read the installation instructions on http://spin.js.org/? spin.js is not pre-minified, but if you are using the Webpack or Rollup module bundler as recommended, you can fairly easily minify your entire bundle for production.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/fgnass/spin.js/issues/357#issuecomment-377320734, or mute the thread https://github.com/notifications/unsubscribe-auth/AdKlNmuWFPL7DjP66C0dWdLir78brc28ks5tjSEdgaJpZM4TAt9_ .

-- VIkrant

theodorejb commented 6 years ago

To clear up confusion, there's not any XSS vulnerability in spin.js 2.3.2 itself that I'm aware of. It's true that v2.3.2 isn't compatible with the style-src 'self' Content Security Policy (issue #115), but that just means that spin.js 2.x doesn't work if that policy is enabled. The potential security risk is in not having a strict Content Security Policy, not from a flaw in the spin.js 2.x script.