Security for launching from URL (was Re: Release 8.2.0 -- pls add critical features (Greg Smith))

Edward Cherlin echerlin at gmail.com
Fri Jul 4 13:37:55 EDT 2008 

On Fri, Jul 4, 2008 at 6:35 AM, Bryan Berry <bryan.berry at gmail.com> wrote:
> Greg wrote:
>>Thanks for keeping us apprised of your needs!
>
> My pleasure.
>
>>I'm also not aware of any feasible design proposal which might address
>>your request. You need a precedent or engineering level suggestion to
>>move this forward. Is this possible in Firefox at all?
>
> Probably not.
...
> We need a way to seamlessly integrate supporting materials such as
> readings, lesson plans, together with activities. HTML is the way to do
> this and the browser is what we use to display html. URI's are what we
> use to link to different resources.
>
> We may end up hacking Browse esp. to allow this because of the immense
> demand.
>
> We need to make it dead simple for teachers to use activities like
> EToys, E-Paath, Measure in the classroom. The easiest way to do this is
> to make the transition from lesson plan to activity as easy as possible.
>
>>I think that having a URL launch a local application will
>>be a fatal security hole. I don't know of any examples of that off the
>>top of my head.
>
> I don't know squat about security but this is a very important application.

This is Ivan's domain. My guess is that there is a way to secure the
process, but it might require some extra effort beyond a software fix,
like teachers whitelisting URLs for lessons. Or perhaps just
whitelisting our Moodle instances. Signed lesson plans? At any rate,
_not_ allowing random outside URLs to launch local activities and give
them scripts to run.

>>My guess is that you need to re-think your Moodle
>><-> activity model and work flow. If can solve the problem from there
>>using the currently available functionality that will be the shortest
>>path to a solution.
>
> I have rethought it and I believe more firmly that the moodle <->
> activity workflow is the way to go.
...
> thank you for your attention to these important matters. You should come out to
> Nepal one of these days. As I told one of the developers recently:
> Get Thee to a Pilot site! Any Pilot site!
>
> Bryan
> Kathmandu
>
> _______________________________________________
> Devel mailing list
> Devel at lists.laptop.org
> http://lists.laptop.org/listinfo/devel
>



-- 
Edward Cherlin
End Poverty at a Profit by teaching children business
http://www.EarthTreasury.org/
"The best way to predict the future is to invent it."--Alan Kay

More information about the Devel mailing list