19 Mar 2008 8:34 AM #11
Even the name of the var gives away what its there for Ext.BLANK_IMAGE_URL - hmm could this be for a 1px transparent gif?!-->
19 Mar 2008 11:04 AM #12
But where is this recommended, exactly?
http://extjs.com/learn/Tutorial:Introduction_to_Ext_2.0 does not mention it.
http://extjs.com/learn/Tutorial:Play...t_The_Easy_Way does not either.
Going to the API there is no "recommended settings" section. Even the description of the option ends with "Defaults to http:..." due to the truncation, so it must be expanded to see what it defaults to.
The FAQ topic is not called "recommended settings" either, it is titled "My code links to extjs.com/s.gif" -- So, unless you know it is doing this, it's unlikely one would actually find this topic. I searched for "extjs.com/s.gif" using the forum search, and got over 500 pages.
Look at it from a new user point of view, not one who already knows where to find the topic.-->
19 Mar 2008 11:04 AM #13
Go look at the documentation for the Ext class:
BLANK_IMAGE_URL : String
URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server). [emphasis added]
Ext.BLANK_IMAGE_URL = '../../resources/images/default/s.gif';
But it's a little panicky to make accusations about privacy or security issues when all you need to do is check the docs.
so it must be expanded to see what it defaults to.-->
19 Mar 2008 11:13 AM #14-->
19 Mar 2008 11:39 AM #15
Here is an example. Perhaps this will show you what I mean.
Note that this is the magic image Google uses to track web pages, and this was installed by the admin of extjs.com. This is an EXAMPLE, not saying google here is a threat.
- Host www.google-analytics.com
- User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/20080201 Firefox/184.108.40.206
- Accept image/png,*/*;q=0.5
- Accept-Language en-us,en;q=0.5
- Accept-Encoding gzip,deflate
- Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
- Keep-Alive 300
- Connection keep-alive
- Referer http://extjs.com/forum/showthread.php?p=140503
Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.
If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.
I do not think the admin of extjs.com are evil, nor are the developers. I do believe this is a serious issue, however, and not one to lightly dismiss as "read the docs." Too much software is insecure out of the box, and no one reads all the docs before they dig in. If the getting started guides all say to change this option when working on things, that'd be great -- but they do not. No books I've looked through discuss this option, but most discussed extjs v1.x, so perhaps this was not an issue in that version.
I have not seen setting this option in any of the online examples posted on the extjs.com site NOR in any forum posts showing examples NOR in any other example code.
Is the final word from developers that this is not really an issue?-->
19 Mar 2008 11:59 AM #16
look in the API tells you it's not "hidden". Most of the examples people post in the forums have that as one of the the first lines.
URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server).-->
19 Mar 2008 12:26 PM #17
Ext.BLANK_IMAGE_URL is an image not a webpage. It can't load the google analytics JS.
As I stated in my previous post on this thread - search the forum. The reason behind why it must be an absolute URL has been explained. If you have the time to do the research to write your previous post accusing us of spying, you also have the time to do the research to find the post explaining why it must be an absolute URL.
Anyway, I have searched for the thread for you. It was the 4th thread in the list (following this one) when searching for BLANK_IMAGE_URL and included "purpose of s.gif" in it's title.
This thread is closed.Jack Slocum
Ext JS Founder
Original author of Ext JS 1, 2 & 3.
19 Mar 2008 12:26 PM #18
If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.-->