7 messages in com.googlegroups.google-gearsRe: [google-gears] Re: Save a Javascr...| From | Sent On | Attachments |
|---|---|---|
| zvi at theidea dot net | 20 Jul 2007 21:28 | |
| Michael Nordman | 23 Jul 2007 10:49 | |
| Scott Hess | 23 Jul 2007 11:01 | |
| Michael Nordman | 23 Jul 2007 18:09 | |
| Scott Hess | 23 Jul 2007 21:25 | |
| zvi at theidea dot net | 23 Jul 2007 22:57 | |
| zvi at theidea dot net | 23 Jul 2007 23:02 |
| Subject: | Re: [google-gears] Re: Save a Javascript String to a Resource url? |
|---|---|
| From: | Scott Hess (sh....@google.com) |
| Date: | 07/23/2007 09:25:48 PM |
| List: | com.googlegroups.google-gears |
Being able to stuff content into LocalServer resources means that anything that can inject JavaScript code into your app can fake up responses from your server. In the limit, this isn't a material change - after all, all this can be used for is to eventually convince your app to send something evil up to the server, and since you already have compromised the client, that's a given. But such a change may make it significantly easier to bootstrap your way into place. For instance, your code could read the existing resource, add some code, and write it back out, like a virus.
-scott
On 7/23/07, Michael Nordman <mich...@google.com> wrote:
I don't get what you mean... what type of "validation" would a client need to do?
On 7/23/07, Scott Hess <sh....@google.com> wrote:
An issue with this kind of change is that it materially modifies the model web apps work under. For instance, right now the server needs to validate _anything_ the client sends up, but usually clients don't validate anything the server sends down.
-scott
On 7/23/07, Michael Nordman <mich...@google.com > wrote:
This is not possible with gears at this time.
We have considered a feature that would allow this, but have no concrete plans to make it so yet. See
http://code.google.com/p/google-gears/issues/detail?id=105
.
On 7/20/07, zvi at theidea dot net <zvi....@gmail.com> wrote:
You can pull the data in a url into a javascript string with XMLHttpRequest, but you cannot write it back.
In my gearswiki.theidea.net , this would be used to great effect to create downloadable dumps of certain content in the local database. I have a temporary hack using data urls, but this results in bad filenames for the downloads, and isn't very portable. You could imagine creating gifs, and other things on the client side.
Is it possible to do this now? If not, why not, and is this on the horizon?
Large pieces of data cannot be pulled out of the browser / sqlite without this feature.
Any ideas?