1. #11
    Sencha User Phunky's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    341
    Vote Rating
    0
    Phunky is on a distinguished road

      0  

    Default


    Quote Originally Posted by skandragon View Post
    Compared to the security hole I consider it... At least a privacy issue it is, I'd choose the warning message.

    Please don't make me have to send in a CERT on this. There have been other information leaks like this in other frameworks that seem harmless on the surface but leak EVERY url in a web server unless someone notices the issue. This is no different than those.
    I don't see how it's an issue at all, you change it to point to your local image folder as recommended by ExtJS and away you go, if you choose not to its hardly Ext's fault.

    Even the name of the var gives away what its there for Ext.BLANK_IMAGE_URL - hmm could this be for a 1px transparent gif?!
    -->

  2. #12
    Ext User
    Join Date
    Mar 2008
    Posts
    8
    Vote Rating
    0
    skandragon is on a distinguished road

      0  

    Default


    But where is this recommended, exactly?

    http://extjs.com/learn/Tutorial:Introduction_to_Ext_2.0 does not mention it.

    http://extjs.com/learn/Tutorial:Play...t_The_Easy_Way does not either.

    Going to the API there is no "recommended settings" section. Even the description of the option ends with "Defaults to http:..." due to the truncation, so it must be expanded to see what it defaults to.

    The FAQ topic is not called "recommended settings" either, it is titled "My code links to extjs.com/s.gif" -- So, unless you know it is doing this, it's unlikely one would actually find this topic. I searched for "extjs.com/s.gif" using the forum search, and got over 500 pages.

    Look at it from a new user point of view, not one who already knows where to find the topic.
    -->

  3. #13
    Sencha User
    Join Date
    Jan 2008
    Posts
    240
    Vote Rating
    0
    OutpostMM is on a distinguished road

      0  

    Default


    Go look at the documentation for the Ext class:

    BLANK_IMAGE_URL : String

    URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server). [emphasis added]
    This isn't a security issue, and it's not a privacy issue either. It's an issue of not reading the documentation. I've also seen several examples posted where the comments say explicitly to change the blank URL so that your applications aren't contacting the extjs.com domain at every request. If you want to use a relative URL, this one works:

    Ext.BLANK_IMAGE_URL = '../../resources/images/default/s.gif';

    But it's a little panicky to make accusations about privacy or security issues when all you need to do is check the docs.

    so it must be expanded to see what it defaults to.
    Is that really a problem?
    -->

  4. #14
    Sencha User Phunky's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    341
    Vote Rating
    0
    Phunky is on a distinguished road

      0  

    Default


    Quote Originally Posted by skandragon View Post
    Look at it from a new user point of view, not one who already knows where to find the topic.
    I am a new user and didnt get overly confused with it, it could'nt be more clear what its there for i mean the name says it all BLANK_IMAGE_URL not SUPER_SECRET_SPY_URL.
    -->

  5. #15
    Ext User
    Join Date
    Mar 2008
    Posts
    8
    Vote Rating
    0
    skandragon is on a distinguished road

      0  

    Default


    Here is an example. Perhaps this will show you what I mean.

    Note that this is the magic image Google uses to track web pages, and this was installed by the admin of extjs.com. This is an EXAMPLE, not saying google here is a threat.
    • Host www.google-analytics.com
    • User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
    • Accept image/png,*/*;q=0.5
    • Accept-Language en-us,en;q=0.5
    • Accept-Encoding gzip,deflate
    • Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
    • Keep-Alive 300
    • Connection keep-alive
    • Referer http://extjs.com/forum/showthread.php?p=140503
    As you can see, the web site www.google-analytics.com, is being sent these HTTP headers. Part of this is the URL of the page you are viewing.

    Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.

    If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.

    I do not think the admin of extjs.com are evil, nor are the developers. I do believe this is a serious issue, however, and not one to lightly dismiss as "read the docs." Too much software is insecure out of the box, and no one reads all the docs before they dig in. If the getting started guides all say to change this option when working on things, that'd be great -- but they do not. No books I've looked through discuss this option, but most discussed extjs v1.x, so perhaps this was not an issue in that version.

    I have not seen setting this option in any of the online examples posted on the extjs.com site NOR in any forum posts showing examples NOR in any other example code.

    Is the final word from developers that this is not really an issue?
    -->

  6. #16
    Ext User
    Join Date
    Jul 2007
    Location
    Florida
    Posts
    9,996
    Vote Rating
    6
    mjlecomte will become famous soon enough mjlecomte will become famous soon enough

      0  

    Default


    Quote Originally Posted by skandragon View Post
    Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.
    I hate to give this thread any more attention, but, Ext.BLANK_IMAGE_URL is not hidden. A brief search of the forums, read of the FAQs, or look in the API tells you it's not "hidden". Most of the examples people post in the forums have that as one of the the first lines.
    URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server).
    -->

  7. #17
    Sencha User jack.slocum's Avatar
    Join Date
    Mar 2007
    Location
    Tampa, FL
    Posts
    6,955
    Vote Rating
    17
    jack.slocum will become famous soon enough jack.slocum will become famous soon enough

      0  

    Default


    skandragon,

    Ext.BLANK_IMAGE_URL is an image not a webpage. It can't load the google analytics JS.

    As I stated in my previous post on this thread - search the forum. The reason behind why it must be an absolute URL has been explained. If you have the time to do the research to write your previous post accusing us of spying, you also have the time to do the research to find the post explaining why it must be an absolute URL.

    Anyway, I have searched for the thread for you. It was the 4th thread in the list (following this one) when searching for BLANK_IMAGE_URL and included "purpose of s.gif" in it's title.

    http://extjs.com/forum/showthread.ph...234#post127234

    This thread is closed.
    Jack Slocum
    Ext JS Founder
    Original author of Ext JS 1, 2 & 3.
    Twitter: @jackslocum
    jack@extjs.com
    -->

  8. #18
    Sencha User
    Join Date
    Jan 2008
    Posts
    240
    Vote Rating
    0
    OutpostMM is on a distinguished road

      0  

    Default


    If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.
    So you're saying that this is a potential security issue because someone who is not a good programmer and who hasn't read the documentation might inadvertently cause their URL to show up in the log files for extjs.com. I've been using Ext for less then a month and that was one of the first things I read about, I'm not sure where but it had a comment from Jack himself I believe about changing it. But I can't find where I read that, so it might be good to add a mention about the property in the getting started guides.
    -->