Re: [Pbwebgui-development] extras URL

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I'm not sure how this solves the security problem. The javascript will still be calling 
a page from a new host, so wouldn't it then still cause a security problem?

I guess what I'm saying is that I don't think this is a WebGUI configuration issue, but 
rather a server config issue. To avoid the security issue I think you need a front end 
proxy that masks the backend servers. So when a request is made for a page that has 
javascript in it, you'd have this:

page req -> proxy (www.me.com) -> webgui (wg.me.com)

js req -> proxy (www.me.com) -> static server (extras.me.com)

With a setup like this it will both boost performance (because the proxy server is 
handling the latent requests) and solve the security issue (because the browser thinks 
everything came from the same source).

On 09 Jul 2004 15:21:42 +0200
  Leendert Bottelberghs <lee...@un...> wrote:
>I'm currently experimenting with setting up WebGUI to run on two
>different http servers. I use an Apache/mod_perl server for the dynamic
>content (generating the pages), and thttpd (a forth-generation
>Non-blocking I/O server) for serving all static content (uploads and
>extras).
>I was very pleased with the way WebGUI supports the configuration of the
>extras and uploads URL, this makes setting up a config like mine quite
>easy.
>I encountered a problem though with some of the javascript that is in
>the extras directory and is used in functionality such as the HTML
>editors. The extras-url must be different from the site-url because it
>is served by a different http-server. It's also possible to use the same
>url, but on a different port. This results in the HTML-editor javascript
>to be served from a different domain than the website in which the edit
>form is present. This causes a javascript security exception, so the
>editor will NOT work.
>
>To conclude: as long as the default javascripts that come with WebGUI
>are approached from the extrasURL that is configured in the config-file,
>you can't serve the extras folder from another server.
>Solution: seperate the javascript that comes with WebGUI and put them in
>a javascript folder that can be configured seperately from the
>extras-folder and -url. It won't be a bad idea at all to join all
>javascript into one folder, aside from the reasons mentioned before.
>
>JT, what do you say about this?
>
>-leendert

JT ~ Plain Black

Create like a god, command like a king, work like a slave. 