Page MenuHomePhabricator uses JavaScript from external domain
Closed, DeclinedPublic


phabricator uses javascript from the external domain I very doubt this is a good idea.

Event Timeline

DaBPunkt updated the task description. (Show Details)
DaBPunkt added a project: Phabricator.
DaBPunkt changed Security from none to None.
DaBPunkt added a subscriber: DaBPunkt.

Could you give some more details? URL?

in particular, why is this a problem? domain is owned and operated by WMF for this purpose as a security measure

Krenair added a subscriber: Krenair.
Nemo_bis changed the task status from Invalid to Declined.Oct 17 2014, 5:08 PM
Nemo_bis claimed this task.

I'll note that it adds some 10 % to loading times just for the additional SSL negotiation.

Aklapper renamed this task from Uses JavaScript from external domain to uses JavaScript from external domain 17 2014, 5:47 PM
Aklapper added subscribers: Nemo_bis, Qgil.

Um, this definitely looks like some kind of misconfiguration to me., as the name says, is presumably intended to be used for user-uploaded content like task attachments, with the different TLD serving to make it impossible to steal cookies from the real site using uploaded HTML attachments, and the like – however, currently it is used both for these and for built-in Phabricator styles and scripts. This is not insecure in any way, of course, but it does cause spidey senses to tingle.

If we want to serve static content from a separate domain which has no cookies set (which is reasonable and possibly a performance improvement in some cases), then I think we should use, or something like that, and not reuse