Hello,
I understand that it won't improve security level ( security by obscurity issue), but at last we would not like dummy users ( 95% of them) easily getting the whole list of contacts. A smarter user could get the contacts, nevertheless.
Maybe it would be interesting to have only some contacts, say that ones that appear at the drop list, be fetched with ajax while typing. If the user changes the "to:", then ajax would "renew" these contacts. Again, a smart user still could create a script to automate the process of getting the contacts, but it would be hard.
I guess it would also improve the speed of the compose page, in case we have thousands of contacts, like me.
Jonathan Araújo Administrador de Infra-estrutura de TI Gerência de TI - INDG S.A.
-----Mensagem original----- De: dev-bounces+jonathanneto=indg.com.br@lists.roundcube.net [mailto:dev-bounces+jonathanneto=indg.com.br@lists.roundcube.net] Em nome de Michael Baierl Enviada em: terça-feira, 28 de outubro de 2008 10:52 Para: RoundCube Dev Assunto: Re: [RCD] Contacts gettiong exposed on html
Hi!
Jonathan Batista de Araujo Neto wrote:
Hello,
I noticed that the contacts get exposed on the compose page, that is, everyone reading the source could take the whole list in a text file, so he could send spam.
It does not really make any difference if the code is there as raw HTML or as JavaScript array - it is still data that is transferred from the server to the client so it can be read and used in other ways than you would expect.
It's not a problem for personal contacts, but if you're in a huge company using LDAP, this could not be a good idea.
One of our programmers get around this, but using ajax and getting the contacts straight to a certain javascript var, instead of defining that on the page code. Since Roundcube has new realeases we had to do the workaround every time.
Still the data is transferred over the wire... no difference.
Maybe you can integrate this "feature" on the mainstream, if of your interest. I can send the hacked code for the version 0.1.
Thanks a lot
Jonathan Araújo
Administrador de Infra-estrutura de TI
Gerência de TI - INDG S.A.
List info: http://lists.roundcube.net/dev/
Este documento pode incluir informação confidencial e de propriedade restrita do Instituto de Desenvolvimento Gerencial-INDG e apenas pode ser lido por aquele(s) a quem sido endereçado. Se você recebeu esta mensagem de e-mail indevidamente, por favor avise-nos imediatamente. Quaisquer opiniões ou informações contidas neste e-mail pertencem ao seu remetente e não necessariamente coincidem com as do Instituto de Desenvolvimento Gerencial-INDG. Este documento não pode ser reproduzido, copiado, distribuído, publicado ou modificado por terceiros, sem a prévia autorização por escrito do Instituto de Desenvolvimento Gerencial-INDG.
List info: http://lists.roundcube.net/dev/