Forum OpenACS Development: Re: OpenACS 5.10 Roadmap?

4: Re: OpenACS 5.10 Roadmap? (response to 3)
Posted by Gustaf Neumann on
Most of the items of the agenda page are already done; a few elements are moved to postponed, i think, there is just one open item. The largest missing effort is the usual release work (summarizing the changes, documentation updates, testing, packaging, ...).

There is no paved way to cherry pick all the CSP and security improvements from oacs-5-10. The basic CSP infrastructure is already in OpenACS 5.9.1. The forthcoming release contains numerous changes especially in the application packages (also some core improvements). I would expect that for ]po[ most work will be the adoption for the application packages which are not part of the ~100 packages of oacs-5-10. Adoption means here to disallow "javascript:" URIs, or "on*" event handlers (see e.g. [1]) for build restrictive CSPs (certain features can be selectively allowed in case on dependencies on external packages, but the default should be restrictive).

all the best -g

5: Re: OpenACS 5.10 Roadmap? (response to 4)
Posted by Frank Bergmann on
Hi Gustaf,

I don't worry much about the application packages, because we don't use much of them, and do not customize them.

We also have very few "embedded" JavaScript. We do have all those Sencha widgets, but I understand these are not affected.

We've got one special problem with a number of *.js.adp files. This is to use the OpenACS localization infrastructure for JavaScript files. Also we sometimes "embedd" small pieces of data from the database in a Sencha "store" (=table) in JSON code generated in the .tcl part of such pages.

The problem is that we need to make OpenACS to produce a JavaScript MIME type for these files, instead of text/html...


6: Re: OpenACS 5.10 Roadmap? (response to 5)
Posted by Benjamin Brink on
Hi Frank,

Have you tried putting this in the .js.tcl part of the file?

ns_adp_mime "text/javascript"


7: Re: OpenACS 5.10 Roadmap? (response to 6)
Posted by Frank Bergmann on
Thank you Ben!