HeadStand Posted May 30, 2018 Share Posted May 30, 2018 I noticed that in 4.3, Codepen was removed from \IPS\Text\Parser::_oembedServices. Was this intentional? And if so, can you please provide the reason? I have a client that uses codepen extensively, so if there was a valid reason for its removal, I'd like to know so that I can be aware of the "consequences" of putting it back in. Thanks. Link to comment Share on other sites More sharing options...
Ryan Ashbrook Posted May 30, 2018 Share Posted May 30, 2018 Yes, it was removed because of security concerns with the pen actually executing JavaScript from inside the embed. Link to comment Share on other sites More sharing options...
bfarber Posted May 30, 2018 Share Posted May 30, 2018 Yes, it was intentional. Codepen can execute javascript in the local scope, so it introduced a minor potential security vulnerability. Doh, Ryan sniped me Link to comment Share on other sites More sharing options...
GreenSock Posted June 1, 2018 Share Posted June 1, 2018 That's a huge disappointment and I'd like to strongly recommend that you put it back. Codepen embeds didn't run by default anyway - the user needed to click to activate. It's not like having the user click a link to go to the codepen URL (instead of embedding) would somehow protect them from malicious JS in that codepen, right? So this is just kicking the can down the road (and simultaneously frustrating your customers like me and providing a worse user experience for forums users). Literally almost every thread in our forums has a codepen, so this decision you made has significant ramifications for us. Please reconsider. Link to comment Share on other sites More sharing options...
Nathan Explosion Posted June 1, 2018 Share Posted June 1, 2018 If Invision choose not to add it back then you can add it back using this: Link to comment Share on other sites More sharing options...
bfarber Posted June 4, 2018 Share Posted June 4, 2018 There's no reason it couldn't be done with a plugin, however we actually received a security report about the issue and had to take action. Social engineering could be used to cause harm on sites with less savvy users. Link to comment Share on other sites More sharing options...
CodingJungle Posted June 8, 2018 Share Posted June 8, 2018 On 6/4/2018 at 10:14 AM, bfarber said: There's no reason it couldn't be done with a plugin, however we actually received a security report about the issue and had to take action. Social engineering could be used to cause harm on sites with less savvy users. didn't realize JS was so powerful, it could alter the course of a entire culture and society ? Link to comment Share on other sites More sharing options...
BomAle Posted June 8, 2018 Share Posted June 8, 2018 I would like to know if a mechanism like https://developer.mozilla.org/it/docs/Web/Security/Subresource_Integrity could be a solution to the problem Link to comment Share on other sites More sharing options...
bfarber Posted June 8, 2018 Share Posted June 8, 2018 Not for this - the very nature of codepen is that arbitrary javascript can execute. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.