DavidIQ wrote:First off if you've ever sent in your MOD with just a MODX update and a phpBB version update you've likely been denied. We will no longer deny such updates as long as the phpBB version is updated as well. We will not, however accept a MOD update that is just for MODX. We are changing this "unwritten" policy because we realize that there is a drop-down in the MODDB that shows what phpBB versions the MOD applies to and this can only be updated if you submit an update to your MOD. This will also help reduce the constant onslaught of questions about if the MOD works on the current version of phpBB.
This really makes sense, I've always found it kinda annoying that in order to update your MOD for a new phpBB version, that you only could do that by changing the MOD
(which in a lot of cases isn't required). Just a quick question though, I assume that these kind of updates are pushed to the bottom of the queue, or can you add a note about it in the "Validation Notes" so that the update can be "insta-approved", as there is only a version change it makes sense to allow that as well instead of pushing them into the queue.
DavidIQ wrote:Second item we spoke about was about remote javascript inclusion. We are talking about when a MOD requires a modification to the
overall_header.html
file to add the inclusion of a javascript file like so:
Code: Select all
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js"></script>
Obviously this example is a very acceptable option HOWEVER we have had MOD authors that want to add remote inclusion of javascript files from their own sites. So we would like to hear your thoughts about this and any security worries that you may have. We have denied MODs for things like this but we don't actually have an official policy for it. So we'd like to hear from you, the community, on what we should do, if anything, about this potential security risk. Do we allow remote inclusion of javascript from any source?
First off all how do you validate remote .js? The file content that is on the remote server at the time of the validation doesn't necessarily have to be there (for example) 3 months down the line. What happens if the remote server goes down and with that break the MOD
(or a server/domain/file move for what its worth)? Or the owner of the server simply replaces the file with an other javascript file, now every board with that MOD can be exploited with nasty javascript as the board owner doesn't know this, so basically you'll allow third parties to remotely change the behavior of boards

. This is IMHO a *really* bad idea and please don't allow it, by allowing this you'll take away control from the board owner with all the problems that come with that.
That said I honestly don't see a valid reason to host javascript required for a MOD on the server of the author.
DavidIQ wrote:Do we allow remote inclusion of js only from a list of approved sources? If so then what sources would the list contain?
Besides the issues pointed out above
(which apply to all remote sources, yes for some more than others), I don't think you'll be able to create a valid list of "approved sources". Why would you include google.com/xxx.yy but not erikfrerejean.com/xxx.yy? Because the latter isn't controlled by a multinational? Because the content on my server for some reason is less trustable than something on google's?
All in all I think that your MOD requires javascript the javascript file should be included in the MOD package. Both for validation reasons
(once installed the javascript remains the same as at the time of validation), as for controllability
(the remote server goes down, my board potentially breaks).