Forum OpenACS Development: Re: OpenACS 5.10 Roadmap?

Collapse
3: Re: OpenACS 5.10 Roadmap? (response to 2)
Posted by Frank Bergmann on
Hi!

There are quite a number of ToDos...
I understand you going to stay upward compatible, for example on these planned parameter improvements?

In ]po[ we'd be mainly interested in these security improvements with CSP and ad_page_contract, in order to produce a ]project-open[ V5.1 exclusively with security focus. And not break the running system with incompatibilities...

But from what I see that may still take quite a while, is that correct?

Cheers
Frank

Collapse
4: Re: OpenACS 5.10 Roadmap? (response to 3)
Posted by Gustaf Neumann on
Most of the items of the agenda page are already done; a few elements are moved to postponed, i think, there is just one open item. The largest missing effort is the usual release work (summarizing the changes, documentation updates, testing, packaging, ...).

There is no paved way to cherry pick all the CSP and security improvements from oacs-5-10. The basic CSP infrastructure is already in OpenACS 5.9.1. The forthcoming release contains numerous changes especially in the application packages (also some core improvements). I would expect that for ]po[ most work will be the adoption for the application packages which are not part of the ~100 packages of oacs-5-10. Adoption means here to disallow "javascript:" URIs, or "on*" event handlers (see e.g. [1]) for build restrictive CSPs (certain features can be selectively allowed in case on dependencies on external packages, but the default should be restrictive).

all the best -g
[1] https://openacs.org/xowiki/CSP

Collapse
5: Re: OpenACS 5.10 Roadmap? (response to 4)
Posted by Frank Bergmann on
Hi Gustaf,

I don't worry much about the application packages, because we don't use much of them, and do not customize them.

We also have very few "embedded" JavaScript. We do have all those Sencha widgets, but I understand these are not affected.

We've got one special problem with a number of *.js.adp files. This is to use the OpenACS localization infrastructure for JavaScript files. Also we sometimes "embedd" small pieces of data from the database in a Sencha "store" (=table) in JSON code generated in the .tcl part of such pages.

The problem is that we need to make OpenACS to produce a JavaScript MIME type for these files, instead of text/html...

Cheers
Frank

Collapse
6: Re: OpenACS 5.10 Roadmap? (response to 5)
Posted by Benjamin Brink on
Hi Frank,

Have you tried putting this in the .js.tcl part of the file?

ns_adp_mime "text/javascript"

cheers,
Ben

Collapse
7: Re: OpenACS 5.10 Roadmap? (response to 6)
Posted by Frank Bergmann on
Thank you Ben!