[dojo-contributors] "core dojo", packaging, and the build system

Jesse Kuhnert jkuhnert at gmail.com
Wed Apr 5 19:39:32 EDT 2006


Hmmm...Sounds like something we'll not agree on...But I personally think the
dojo foundation could do a sufficient job screening trusted entities..

I also don't think javascript in someones browser is going to be able to do
the sort of advanced actions that a piece of hardware like a router/dns
server can do. Like guarantee bandwidth limits, check QOS constraints to
make sure one host in the chain isn't operating too slowly..etc...That's
just me though :)

On 4/5/06, Sandro Magi <smagi at naasking.homeip.net> wrote:
>
> Such a setup is still just as vulnerable. I would rather have the
> control in the dojo array anyway, because I could then specify my own
> server farm.
>
> Sandro
>
> Jesse Kuhnert wrote:
> > Ouch, I don't think I meant for dojo to try managing the hosts...I was
> > imagining some sort of dojo sponsored thing where relationships are
> > built with trusted companies/hosts and the routing is done through,
> > well..a router/dns server somewhere.
> >
> > On 4/5/06, *Sandro Magi* <smagi at naasking.homeip.net
> > <mailto:smagi at naasking.homeip.net>> wrote:
> >
> >     An array of hosts with a random selection stored in dojo.js could be
> >     used to distribute the load across any number of servers. Whether
> this
> >     is actually a win depends on how scripts are cached by the browser.
> If
> >     the browsers are good, then distributing the scripts in this manner
> >     could very well *degrade* performance.
> >
> >     Furthermore, this is potentially a security nightmare. Subverting
> any
> >     one of the hosting servers means an attacker could potentially steal
> >     information from any web applications which use dojo this way.
> >
> >     You can close this vulnerability by storing secure hashes of the
> >     referenced scripts in the root dojo.js file. When the script is
> fetched,
> >     the computed hash must match the stored one to ensure that the
> script
> >     hasn't been compromised. If it doesn't match, the next server could
> be
> >     tried. I can't think how else you can ensure the app's security.
> >
> >     Sandro
> >
> _______________________________________________
> dojo-contributors mailing list
> dojo-contributors at dojotoolkit.org
> http://dojotoolkit.org/mailman/listinfo/dojo-contributors
>



--
Jesse Kuhnert
Tacos/Tapestry, team member/developer

Open source based consulting work centered around
dojo/tapestry/tacos/hivemind.  http://opennotion.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.dojotoolkit.org/pipermail/dojo-contributors/attachments/20060405/d582e3b7/attachment.htm 


More information about the dojo-contributors mailing list