Remote JS and MOD update policy changes

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 16680
Joined: Thu Jan 06, 2005 1:30 pm
Location: Fishkill, NY
Name: David Colón
Contact:

Remote JS and MOD update policy changes

Post by DavidIQ » Tue Feb 01, 2011 12:25 pm

Hello all,

During the phpBB meetup in Manchester, Paul and I discussed a couple of issues that are very common among MOD authors.

First off if you've ever sent in your MOD with just a MODX update and a phpBB version update you've likely been denied. We will no longer deny such updates as long as the phpBB version is updated as well. We will not, however accept a MOD update that is just for MODX. We are changing this "unwritten" policy because we realize that there is a drop-down in the MODDB that shows what phpBB versions the MOD applies to and this can only be updated if you submit an update to your MOD. This will also help reduce the constant onslaught of questions about if the MOD works on the current version of phpBB.

Second item we spoke about was about remote javascript inclusion. We are talking about when a MOD requires a modification to the overall_header.html file to add the inclusion of a javascript file like so:

Code: Select all

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js"></script>
Obviously this example is a very acceptable option HOWEVER we have had MOD authors that want to add remote inclusion of javascript files from their own sites. So we would like to hear your thoughts about this and any security worries that you may have. We have denied MODs for things like this but we don't actually have an official policy for it. So we'd like to hear from you, the community, on what we should do, if anything, about this potential security risk. Do we allow remote inclusion of javascript from any source? Do we allow remote inclusion of js only from a list of approved sources? If so then what sources would the list contain?

We want you, the community, to have a final say in this. So let's hear what you have to say. :ugeek:
Apply to become a Jr. Extension Validator
My extensions | In need of phpBB services? | Was I helpful today?
No unsolicited PMs unless you're planning on asking for paid help.

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Remote JS and MOD update policy changes

Post by Erik Frèrejean » Tue Feb 01, 2011 12:53 pm

DavidIQ wrote:First off if you've ever sent in your MOD with just a MODX update and a phpBB version update you've likely been denied. We will no longer deny such updates as long as the phpBB version is updated as well. We will not, however accept a MOD update that is just for MODX. We are changing this "unwritten" policy because we realize that there is a drop-down in the MODDB that shows what phpBB versions the MOD applies to and this can only be updated if you submit an update to your MOD. This will also help reduce the constant onslaught of questions about if the MOD works on the current version of phpBB.
This really makes sense, I've always found it kinda annoying that in order to update your MOD for a new phpBB version, that you only could do that by changing the MOD (which in a lot of cases isn't required). Just a quick question though, I assume that these kind of updates are pushed to the bottom of the queue, or can you add a note about it in the "Validation Notes" so that the update can be "insta-approved", as there is only a version change it makes sense to allow that as well instead of pushing them into the queue.
DavidIQ wrote:Second item we spoke about was about remote javascript inclusion. We are talking about when a MOD requires a modification to the overall_header.html file to add the inclusion of a javascript file like so:

Code: Select all

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js"></script>
Obviously this example is a very acceptable option HOWEVER we have had MOD authors that want to add remote inclusion of javascript files from their own sites. So we would like to hear your thoughts about this and any security worries that you may have. We have denied MODs for things like this but we don't actually have an official policy for it. So we'd like to hear from you, the community, on what we should do, if anything, about this potential security risk. Do we allow remote inclusion of javascript from any source?
First off all how do you validate remote .js? The file content that is on the remote server at the time of the validation doesn't necessarily have to be there (for example) 3 months down the line. What happens if the remote server goes down and with that break the MOD (or a server/domain/file move for what its worth)? Or the owner of the server simply replaces the file with an other javascript file, now every board with that MOD can be exploited with nasty javascript as the board owner doesn't know this, so basically you'll allow third parties to remotely change the behavior of boards :o. This is IMHO a *really* bad idea and please don't allow it, by allowing this you'll take away control from the board owner with all the problems that come with that.
That said I honestly don't see a valid reason to host javascript required for a MOD on the server of the author.
DavidIQ wrote:Do we allow remote inclusion of js only from a list of approved sources? If so then what sources would the list contain?
Besides the issues pointed out above (which apply to all remote sources, yes for some more than others), I don't think you'll be able to create a valid list of "approved sources". Why would you include google.com/xxx.yy but not erikfrerejean.com/xxx.yy? Because the latter isn't controlled by a multinational? Because the content on my server for some reason is less trustable than something on google's?

All in all I think that your MOD requires javascript the javascript file should be included in the MOD package. Both for validation reasons (once installed the javascript remains the same as at the time of validation), as for controllability (the remote server goes down, my board potentially breaks).
Last edited by Erik Frèrejean on Tue Feb 01, 2011 12:56 pm, edited 2 times in total.
Reason: Typo fix
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 24494
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Remote JS and MOD update policy changes

Post by Paul » Tue Feb 01, 2011 1:20 pm

Erik Frèrejean wrote:
DavidIQ wrote:First off if you've ever sent in your MOD with just a MODX update and a phpBB version update you've likely been denied. We will no longer deny such updates as long as the phpBB version is updated as well. We will not, however accept a MOD update that is just for MODX. We are changing this "unwritten" policy because we realize that there is a drop-down in the MODDB that shows what phpBB versions the MOD applies to and this can only be updated if you submit an update to your MOD. This will also help reduce the constant onslaught of questions about if the MOD works on the current version of phpBB.
This really makes sense, I've always found it kinda annoying that in order to update your MOD for a new phpBB version, that you only could do that by changing the MOD (which in a lot of cases isn't required). Just a quick question though, I assume that these kind of updates are pushed to the bottom of the queue, or can you add a note about it in the "Validation Notes" so that the update can be "insta-approved", as there is only a version change it makes sense to allow that as well instead of pushing them into the queue.
We havent decided on that yet. For now it will end up at the bottom, but as I see how fast the queue mostly go with smaller updates, I dont think this is currently a problem.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

Popp Singh
Registered User
Posts: 317
Joined: Thu Apr 22, 2010 4:31 pm
Contact:

Re: Remote JS and MOD update policy changes

Post by Popp Singh » Tue Feb 01, 2011 4:33 pm

1 - Good to see that your talking about it here so that the whole comunity can have a look and comment here .
2 -
All in all I think that your MOD requires javascript the javascript file should be included in the MOD package.
Yup anything else would be stupid for the reasons already given .
What i say is my opinion . If you dont like it or dissagree with it lets talk about it and try to come to an agreement . I`m not to old to learn or change my opinions if they are wrong .

http://www.youtopia.ws

thinkagain
I've Been Banned!
Posts: 34
Joined: Thu Dec 23, 2010 4:17 pm

Re: Remote JS and MOD update policy changes

Post by thinkagain » Tue Feb 01, 2011 5:41 pm

2nd item - thumbs down for any remotely hosted content in MOD's or Styles. If it is required for functionality it should be included in the package to do anything else would require boards to have an accessible internet connection at all times and that is not valid. Many boards run behind corporate firewalls or in other private settings and it is not good policy to disenfranchise them from available third party board add ons.

User avatar
Sajaki
Registered User
Posts: 1347
Joined: Mon Mar 02, 2009 1:41 pm
Name: Andreas
Contact:

Re: Remote JS and MOD update policy changes

Post by Sajaki » Tue Feb 01, 2011 10:29 pm

thumbs up from me for 2°.

I think content delivery systems are a good thing (™), especially for static content you might be serving in your site. They accelerate content delivery, thus saving you bandwidth. And since their servers are located globally network speed isn't a factor of location.

For serving scripts via cdn, trustworthyness is more important indeed. but i think ajax.googleapis.com can be trusted not to serve malware.

For example, jquery tools provides a free cdn for their bundle. and i know it's a good script, i use it alot.

Wowhead js is another script that is very common with wow gamers and i see it alot on phpbb3 sites. Since it's updated frequently hosting it on your own is possible but not preferrable.

some scripts including my mod (bbdkp, yet to submit) call home with get_remote_file() to fetch the version number, phpbb does it too.

so i think it depends on the case.

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Remote JS and MOD update policy changes

Post by Erik Frèrejean » Tue Feb 01, 2011 10:55 pm

Sajaki wrote:For serving scripts via cdn, trustworthyness is more important indeed. but i think ajax.googleapis.com can be trusted not to serve malware.

For example, jquery tools provides a free cdn for their bundle. and i know it's a good script, i use it alot.

Wowhead js is another script that is very common with wow gamers and i see it alot on phpbb3 sites. Since it's updated frequently hosting it on your own is possible but not preferrable.
Which brings up my point of "define trustworthy". I for one would never load javascript from a remote server like your last two examples. I don't know that site, I don't know who is maintaining it, I don't know how stable their servers are, etc, etc. As for the Google one it doesn't trill me exactly, though you could consider that one as trusted. But even so, they can go down or not be accessible for any other reason (see thinkagain's example, country specific limitations) which will immediately break the MOD. If you install a MOD it shouldn't be able to break because a third party site decides to die/gets inaccessible.
Sajaki wrote:some scripts including my mod (bbdkp, yet to submit) call home with get_remote_file() to fetch the version number, phpbb does it too.
You can't really compare calling home to fetch a version number which than is handled by the system on the users server, with complete pieces of code that are just executed by the browser.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
Boardtalk.net
Registered User
Posts: 1185
Joined: Fri Jun 05, 2009 8:12 pm
Location: Ireland
Name: Colette
Contact:

Re: Remote JS and MOD update policy changes

Post by Boardtalk.net » Wed Feb 02, 2011 1:24 am

Yep, great idea to show a mod is certified to work with the current version of phpbb even if no new edits were necessary. Top marks for that idea!

I don’t like using javascript that’s hosted on another server, even if it is googleapis.com or such like. If I come across any mods or other using a remotely hosted script I just copy it onto my own server.

User avatar
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Remote JS and MOD update policy changes

Post by Pony99CA » Wed Feb 02, 2011 2:44 am

Erik Frèrejean wrote:[...]I honestly don't see a valid reason to host javascript required for a MOD on the server of the author.
One good reason: Security updates. If a "trusted" source finds a security problem in the JavaScript code, they can fix it once and not require everybody to update their MODs.
Erik Frèrejean wrote:I don't think you'll be able to create a valid list of "approved sources". Why would you include google.com/xxx.yy but not erikfrerejean.com/xxx.yy? Because the latter isn't controlled by a multinational? Because the content on my server for some reason is less trustable than something on google's?
I think that you can create such a list. Whether it will be exhaustive or agreed upon is another issue. :D

And, sorry, Google has tons of resources to keep their servers up and running. I'm not so sure about Erik. ;)

Finally, wouldn't prohibiting remote JavaScript prevent things like AdSense MODs?

That said, if you're going to prevent remote JavaScript, what about other remote artifacts like images (which can be changed), CSS, PHP, HTML, etc.? Are those already disallowed? If so, what if my MOD is a gallery MOD for images stored in Flickr or some such site? If not, what if the MOD uses a Web bug to track usage?

Maybe the actual remote usage should be handled on a case-by-case basis. And, if you do allow it, make sure that there's a prominent note stating that the MOD use off-site resources (with details). That way people can make an informed decision on whether they want to risk using it. I may trust Erik, but somebody else may not.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

Oleg
Former Team Member
Posts: 1221
Joined: Sat Jan 30, 2010 4:42 pm
Location: NYC
Contact:

Re: Remote JS and MOD update policy changes

Post by Oleg » Wed Feb 02, 2011 3:14 am

No opinion on #1 at this time. Regarding #2:

My opinion (as a sysadmin) is that if a script may be hosted on my server, I should at least have the option of hosting it myself. For things like google analytics where it does not make sense to host the script on my board, taking it from google's servers is fine. For situations where the included version may get outdated, as long as the included version would continue to be functional there should be an option for me to host it myself.
Participate in phpBB development: Get involved | Issue tracker | Report a bug | Development board | [url=irc://chat.freenode.net/phpbb-dev]Development IRC chat[/url]
My stuff: mindlinkgame.com

User avatar
Ozo
Registered User
Posts: 304
Joined: Mon Dec 13, 2010 7:57 pm

Re: Remote JS and MOD update policy changes

Post by Ozo » Wed Feb 02, 2011 3:22 am

With the tons of MOD authors who leave their MOD abandoned ( even tho the download and thread will never get closed because of this ) I say thumbs down to remotely hosted js files.

User avatar
DavidIQ
Customisations Team Leader
Customisations Team Leader
Posts: 16680
Joined: Thu Jan 06, 2005 1:30 pm
Location: Fishkill, NY
Name: David Colón
Contact:

Re: Remote JS and MOD update policy changes

Post by DavidIQ » Wed Feb 02, 2011 3:46 am

Erik Frèrejean wrote:Just a quick question though, I assume that these kind of updates are pushed to the bottom of the queue, or can you add a note about it in the "Validation Notes" so that the update can be "insta-approved", as there is only a version change it makes sense to allow that as well instead of pushing them into the queue.
More than likely we'd do a diff with the last version, send it off for testing once we've verified it's just a version update, and approve after it's been verified as working on the said version. Would obviously help if a note is added by the MOD author to the queue that it's just a version update :)

To add a little more background to #2:
http://www.phpbb.com/customise/db/mod/r ... nstructor/
Note the edit we've done to the description. You might also note the following in the support area:
http://www.phpbb.com/customise/db/mod/r ... wn-t_89053
So we do currently have at least one MOD in the MODDB that has remote javascript and it had a problem because of this at one point. We approved it some time ago since we don't have an official policy on the matter but we wanted to solidify an actual policy on it that would make most happy.
Apply to become a Jr. Extension Validator
My extensions | In need of phpBB services? | Was I helpful today?
No unsolicited PMs unless you're planning on asking for paid help.

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Remote JS and MOD update policy changes

Post by Erik Frèrejean » Wed Feb 02, 2011 6:38 am

Pony99CA wrote:
Erik Frèrejean wrote:[...]I honestly don't see a valid reason to host javascript required for a MOD on the server of the author.
One good reason: Security updates. If a "trusted" source finds a security problem in the JavaScript code, they can fix it once and not require everybody to update their MODs.
Which poses multiple problems, I for one have certain protocols that must be followed before someone can update stuff on sites I maintain. One is that all changes *must* be in a VCS so I can slap the person that uploaded broken stuff, this can't be done when using remote code. Secondly what happens if the "trusted" source thinks, well update x.y.z should also be pushed to everyone, that better for them (and I wouldn't be surprised if that happened) and things break on my site because it isn't compatible.
Pony99CA wrote:
Erik Frèrejean wrote:I don't think you'll be able to create a valid list of "approved sources". Why would you include google.com/xxx.yy but not erikfrerejean.com/xxx.yy? Because the latter isn't controlled by a multinational? Because the content on my server for some reason is less trustable than something on google's?
I think that you can create such a list. Whether it will be exhaustive or agreed upon is another issue. :D

And, sorry, Google has tons of resources to keep their servers up and running. I'm not so sure about Erik. ;)
You are assuming here that I (or my host) can't keep my servers running, kinda harsh to do without knowing what/where I host and how its hosted. Also keep in mind that the initial idea mainly points towards MOD authors and not big multi million companies.
DavidIQ wrote:Obviously this example is a very acceptable option HOWEVER we have had MOD authors that want to add remote inclusion of javascript files from their own sites.
Pony99CA wrote: If so, what if my MOD is a gallery MOD for images stored in Flickr or some such site?
Due to the nature of services like Flickr one can assume that if you request a picture from the service a picture is what you get. If that picture contains an exploit, flickr itself most likely would be affected by that first ;). What we are discussing here however isn't getting an image from a remote source, but rather active code that gets executed by the browser no matter what. I know that I'm not security professional, but to me that sounds like throwing out the security model of phpBB.
Pony99CA wrote:Maybe the actual remote usage should be handled on a case-by-case basis. And, if you do allow it, make sure that there's a prominent note stating that the MOD use off-site resources (with details). That way people can make an informed decision on whether they want to risk using it. I may trust Erik, but somebody else may not.
We've also got users that are hardly capable of installing a MOD in the first place, how would those users be able to make such a decision? And *if* boards break/get hacked by allowing this I know whom is getting the blame from the majority of users and it won't be the MOD author ;).
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Remote JS and MOD update policy changes

Post by Pony99CA » Wed Feb 02, 2011 8:39 am

Erik Frèrejean wrote:
Pony99CA wrote:
Erik Frèrejean wrote:[...]I honestly don't see a valid reason to host javascript required for a MOD on the server of the author.
One good reason: Security updates. If a "trusted" source finds a security problem in the JavaScript code, they can fix it once and not require everybody to update their MODs.
Which poses multiple problems, I for one have certain protocols that must be followed before someone can update stuff on sites I maintain. One is that all changes *must* be in a VCS so I can slap the person that uploaded broken stuff, this can't be done when using remote code.
That's you. Others may not worry so much. I guess it also matters what happens if the MOD breaks. If it takes your board (or vital functions) down, that's bad; if it just prevents the MOD from working but the vital features of phpBB keep working, it's not a big deal.
Erik Frèrejean wrote:
Pony99CA wrote:
Erik Frèrejean wrote:I don't think you'll be able to create a valid list of "approved sources". Why would you include google.com/xxx.yy but not erikfrerejean.com/xxx.yy? Because the latter isn't controlled by a multinational? Because the content on my server for some reason is less trustable than something on google's?
And, sorry, Google has tons of resources to keep their servers up and running. I'm not so sure about Erik. ;)
You are assuming here that I (or my host) can't keep my servers running, kinda harsh to do without knowing what/where I host and how its hosted.
I'm not assuming that at all; you misinterpreted what I said. I merely said that I know what kind of resources Google has but have no idea (am not sure) what kind you or your host have. Therefore it's up to you to prove that you can keep your service running while most people would reasonably assume that Google can do it.
Erik Frèrejean wrote:
Pony99CA wrote: If so, what if my MOD is a gallery MOD for images stored in Flickr or some such site?
Due to the nature of services like Flickr one can assume that if you request a picture from the service a picture is what you get. If that picture contains an exploit, flickr itself most likely would be affected by that first ;).
Not necessarily. Suppose it was found that a malformed JPEG crashed IE 5.5 and allowed remote code execution. Do you think Flickr tests every image they receive in every browser?
Erik Frèrejean wrote:What we are discussing here however isn't getting an image from a remote source, but rather active code that gets executed by the browser no matter what. I know that I'm not security professional, but to me that sounds like throwing out the security model of phpBB.
As a software developer for 18+ years, I understand the difference. The point is that exploits can come from data files, too. You need look no further than at all of the problem Adobe has with PDFs and Flash and Microsoft has with Office files.
Erik Frèrejean wrote:
Pony99CA wrote:Maybe the actual remote usage should be handled on a case-by-case basis. And, if you do allow it, make sure that there's a prominent note stating that the MOD use off-site resources (with details). That way people can make an informed decision on whether they want to risk using it. I may trust Erik, but somebody else may not.
We've also got users that are hardly capable of installing a MOD in the first place, how would those users be able to make such a decision? And *if* boards break/get hacked by allowing this I know whom is getting the blame from the majority of users and it won't be the MOD author ;).
True, but so what? Do you prevent the 95-year-old man from buying a Ferrari because he can't handle it? Do you prevent people from smoking because it can kill them?

If somebody is too ignorant to install a MOD, they probably shouldn't install them. If they don't recognize their own limitations, there's not much we can do.

But let's try an alternative. What if phpBB.com hosted the remote resources for non-trusted sources? That way they could fix security issues if they occurred and the developers couldn't maliciously update them. phpBB.com has lots of resources to keep this board running, so the (presumably) rare MOD that requires remote resources probably wouldn't be a strain.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

Popp Singh
Registered User
Posts: 317
Joined: Thu Apr 22, 2010 4:31 pm
Contact:

Re: Remote JS and MOD update policy changes

Post by Popp Singh » Wed Feb 02, 2011 9:06 am

Guys i dont understand all the technical stuff BUT i want personal control , freedom of choice , to be informed of anything that in any way phones home or gets info from anywhere else so it can work . .Nobody should be able to change any parts of what i`ve got on my computer / server or what it needs to function without my permission .

As to trust . Look at all the times microcrap have smuggled bits that were to their advantage onto customers computers behind their backs and all their softwares phone home functions . And to me trusting google would be the same as employing a paedophile as a baby sitter .

Fetching a version number and haveing a piece of ones software on a remote computer are two TOTALY different things and dont have any relevance to whats being talked about here . So is the bit about photos and other things hosted on other sites . It doesnt fit in here because we put those things there , we have control of them and we know whats hapening and when . We can also get rid of the things on those remote servers if and when we want to Both dont have any affect on what my computer is doing = they aint giveing my computer any orders .

To the people who make MODS I and my computer aint here to make life easy for you . If you cant make a MOD with all its bits included dont . And if you want any usage statistics about things on my computer ...... PAY ME .

( < ------- Use your brains to translate all that .Its the middle of the night here and my brain cell is on overload ) .

Pony you posted your last post while i was writeing this one so i aint comenting on individual points except to generalise and say ....why make life easy when you can make it difficult ?
Last edited by Popp Singh on Wed Feb 02, 2011 9:15 am, edited 1 time in total.
What i say is my opinion . If you dont like it or dissagree with it lets talk about it and try to come to an agreement . I`m not to old to learn or change my opinions if they are wrong .

http://www.youtopia.ws

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 26 guests