Compared to the security hole I consider it... At least a privacy issue it is, I'd choose the warning message.
Please don't make me have to send in a CERT on this. There have been other information leaks like this in other frameworks that seem harmless on the surface but leak EVERY url in a web server unless someone notices the issue. This is no different than those.
I don't see how it's an issue at all, you change it to point to your local image folder as recommended by ExtJS and away you go, if you choose not to its hardly Ext's fault.
Even the name of the var gives away what its there for Ext.BLANK_IMAGE_URL - hmm could this be for a 1px transparent gif?!
Going to the API there is no "recommended settings" section. Even the description of the option ends with "Defaults to http:..." due to the truncation, so it must be expanded to see what it defaults to.
The FAQ topic is not called "recommended settings" either, it is titled "My code links to extjs.com/s.gif" -- So, unless you know it is doing this, it's unlikely one would actually find this topic. I searched for "extjs.com/s.gif" using the forum search, and got over 500 pages.
Look at it from a new user point of view, not one who already knows where to find the topic.
URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server). [emphasis added]
This isn't a security issue, and it's not a privacy issue either. It's an issue of not reading the documentation. I've also seen several examples posted where the comments say explicitly to change the blank URL so that your applications aren't contacting the extjs.com domain at every request. If you want to use a relative URL, this one works:
Look at it from a new user point of view, not one who already knows where to find the topic.
I am a new user and didnt get overly confused with it, it could'nt be more clear what its there for i mean the name says it all BLANK_IMAGE_URL not SUPER_SECRET_SPY_URL.
Here is an example. Perhaps this will show you what I mean.
Note that this is the magic image Google uses to track web pages, and this was installed by the admin of extjs.com. This is an EXAMPLE, not saying google here is a threat.
As you can see, the web site www.google-analytics.com, is being sent these HTTP headers. Part of this is the URL of the page you are viewing.
Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.
If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.
I do not think the admin of extjs.com are evil, nor are the developers. I do believe this is a serious issue, however, and not one to lightly dismiss as "read the docs." Too much software is insecure out of the box, and no one reads all the docs before they dig in. If the getting started guides all say to change this option when working on things, that'd be great -- but they do not. No books I've looked through discuss this option, but most discussed extjs v1.x, so perhaps this was not an issue in that version.
I have not seen setting this option in any of the online examples posted on the extjs.com site NOR in any forum posts showing examples NOR in any other example code.
Is the final word from developers that this is not really an issue?
Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.
I hate to give this thread any more attention, but, Ext.BLANK_IMAGE_URL is not hidden. A brief search of the forums, read of the FAQs, or look in the API tells you it's not "hidden". Most of the examples people post in the forums have that as one of the the first lines.
URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server).
Ext.BLANK_IMAGE_URL is an image not a webpage. It can't load the google analytics JS.
As I stated in my previous post on this thread - search the forum. The reason behind why it must be an absolute URL has been explained. If you have the time to do the research to write your previous post accusing us of spying, you also have the time to do the research to find the post explaining why it must be an absolute URL.
Anyway, I have searched for the thread for you. It was the 4th thread in the list (following this one) when searching for BLANK_IMAGE_URL and included "purpose of s.gif" in it's title.
If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.
So you're saying that this is a potential security issue because someone who is not a good programmer and who hasn't read the documentation might inadvertently cause their URL to show up in the log files for extjs.com. I've been using Ext for less then a month and that was one of the first things I read about, I'm not sure where but it had a comment from Jack himself I believe about changing it. But I can't find where I read that, so it might be good to add a mention about the property in the getting started guides.
Originally Posted by skandragon
