[dojo-contributors] "core dojo", packaging, and the build system
jkuhnert at gmail.com
Wed Apr 5 19:39:32 EDT 2006
Hmmm...Sounds like something we'll not agree on...But I personally think the
dojo foundation could do a sufficient job screening trusted entities..
the sort of advanced actions that a piece of hardware like a router/dns
server can do. Like guarantee bandwidth limits, check QOS constraints to
make sure one host in the chain isn't operating too slowly..etc...That's
just me though :)
On 4/5/06, Sandro Magi <smagi at naasking.homeip.net> wrote:
> Such a setup is still just as vulnerable. I would rather have the
> control in the dojo array anyway, because I could then specify my own
> server farm.
> Jesse Kuhnert wrote:
> > Ouch, I don't think I meant for dojo to try managing the hosts...I was
> > imagining some sort of dojo sponsored thing where relationships are
> > built with trusted companies/hosts and the routing is done through,
> > well..a router/dns server somewhere.
> > On 4/5/06, *Sandro Magi* <smagi at naasking.homeip.net
> > <mailto:smagi at naasking.homeip.net>> wrote:
> > An array of hosts with a random selection stored in dojo.js could be
> > used to distribute the load across any number of servers. Whether
> > is actually a win depends on how scripts are cached by the browser.
> > the browsers are good, then distributing the scripts in this manner
> > could very well *degrade* performance.
> > Furthermore, this is potentially a security nightmare. Subverting
> > one of the hosting servers means an attacker could potentially steal
> > information from any web applications which use dojo this way.
> > You can close this vulnerability by storing secure hashes of the
> > referenced scripts in the root dojo.js file. When the script is
> > the computed hash must match the stored one to ensure that the
> > hasn't been compromised. If it doesn't match, the next server could
> > tried. I can't think how else you can ensure the app's security.
> > Sandro
> dojo-contributors mailing list
> dojo-contributors at dojotoolkit.org
Tacos/Tapestry, team member/developer
Open source based consulting work centered around
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dojo-contributors