0

Can users who have access to web content management system be allowed to upload JavaScript files to the web server through a web app in a safe way? Or shouldn't uploading JavaScript be allowed by anyone, and it should instead be manually deployed to the servers via a manual process?

One work around: Can content editors be allowed to open the JavaScript file on their local system, copy the code and then create an 'object' (of the relevant type) in the WCMS and then paste the code into it?

How can I ensure safe uploading of JavaScript?

Anders
  • 64,406
  • 24
  • 178
  • 215
one
  • 1,781
  • 3
  • 18
  • 45
  • Are we talking about JS that is supposed to be run on the client? Or are we talking about uploading code that should be downloaded as code, like I would upload code to say GitHub - it is displayed, but it does not run as if it was from GitHub? – Anders Jun 09 '16 at 12:21
  • Hi Anders.. JS that is supposed to be run on the client? – one Jun 09 '16 at 12:32
  • I do not see this as relevant to javascript or web applications. You simply want to know how to control permissions on certain uploads for everyone's security, yet providing your content editors additional flexibility if possible. To determine if your web solution is good, you'd need to evaluate it in depth and compare it to your other options such as SFTP with a good password. – Julie Pelletier Jun 09 '16 at 12:49
  • 1
    Do you allow content editors to use ` – Matthew Jun 09 '16 at 13:33
  • @Matthew: a CSP by default would stop inline scripts but not external ones. – dandavis Jun 09 '16 at 19:04
  • @dandavis Yes, but if inline scripts were intended functionality, they wouldn't be blocked - would be a bit pointless! – Matthew Jun 09 '16 at 19:19
  • 1
    The safest way of allowing them to be uploaded is to use a completely different domain when they are served (_not_ a subdomain). This is why google use the `googleusercontent.com` domain for user stuff rather than `userstuff.google.com`. – SilverlightFox Jun 10 '16 at 08:38

0 Answers0