Iframes in Appropedia?

3 views
Skip to first unread message

Chris Watkins

unread,
May 19, 2011, 4:45:10 AM5/19/11
to Tech for Sustainability Wikis
Iframes work on our dev site, using a widget:
http://www.whatissustainability.org/User_talk:RichardF#Widgets

It seems like a pretty big feature to add - effectively the same as "ScaryTransclusion" but maybe works better. It has advantages if we use it on the live site (letting organization pages show their own homepage, displaying external forum discussions within Appropedia, if we want the community to be aware...).

Are there security concerns? The one thing that concerns me is that it makes it much easier for someone (e.g. a vandal) to display inappropriate content. It also makes it easier to remove, but it could make for slightly more work, checking that transcluded pages really are legitimate. I'm thinking for example of a clever spoof sites from the Yes Men, where you have to look closely to realize it's not really a World Bank site.

So, iframes... safe? Useful?
--
Chris Watkins

Appropedia.org - Sharing knowledge to build rich, sustainable lives.

Curt Beckmann

unread,
May 19, 2011, 3:49:31 PM5/19/11
to tech-for-susta...@googlegroups.com
If I understand the picture, there is one more security challenge:
A bad actor can transclude a site that is initially good looking, possibly with moderately relevant content.  We would see the transclusion in the "recent changes" and go check the transcluded site.  If it's lovely, we mark it blessed, and then pay no more attention. Then at some later time (a week?) the bad actor alters the content at the transcluded site.  We get no notification.  So that means that we (or the community) would need to be alert to ugly content appearing without notification, implying a different level of oversight / maintenance.

I can see how some transclusions would be useful, but not convinced the good outweighs the bad.

Curt


--
All posts to this list are licensed under CC-BY-SA and GFDL (take your pick if you reuse the content).
 
You received this message because you are subscribed to the Google
Groups "Tech for sustainability wikis" group.
To manage your subsciption, visit
http://groups.google.com/group/tech-for-sustainability-wikis?hl=en



--
Curt Beckmann
System

Chris Watkins

unread,
May 23, 2011, 1:16:31 AM5/23/11
to tech-for-susta...@googlegroups.com
On Fri, May 20, 2011 at 02:49, Curt Beckmann <Curtbe...@appropedia.org> wrote:
If I understand the picture, there is one more security challenge:
A bad actor can transclude a site that is initially good looking, possibly with moderately relevant content.  We would see the transclusion in the "recent changes" and go check the transcluded site.  If it's lovely, we mark it blessed, and then pay no more attention. Then at some later time (a week?) the bad actor alters the content at the transcluded site.  We get no notification.  So that means that we (or the community) would need to be alert to ugly content appearing without notification, implying a different level of oversight / maintenance.

I can see how some transclusions would be useful, but not convinced the good outweighs the bad.

Thanks - we'll leave this off for now.

I've added a task (low priority) to work out a way to transclude only from sites on a whitelist.

Cheers,
Chris

Reply all
Reply to author
Forward
0 new messages