These are chat archives for codexa/firetext

5th
Jun 2015
Josh Smith
@joshua-s
Jun 05 2015 16:32 UTC
So, I've got a question
If any app can run on localhost, use a blob url, or set its ffos origin to be app://codexa.github.io/, is that really any more secure than *?
Daniel Huigens
@twiss
Jun 05 2015 16:37 UTC
Eh, no, not in that case, but we shouldn't allow blob urls, and we have to trust Mozilla that they won't allow other apps to use that origin
localhost is dubious, but if software has access to localhost they can do anything they want
Josh Smith
@joshua-s
Jun 05 2015 16:38 UTC
hmm, ok
Josh Smith
@joshua-s
Jun 05 2015 16:44 UTC
So, should we allow localhost?
Daniel Huigens
@twiss
Jun 05 2015 16:47 UTC
I think so, also because otherwise it would be hard for other to test Firetext
Josh Smith
@joshua-s
Jun 05 2015 16:47 UTC
Ok!
Daniel Huigens
@twiss
Jun 05 2015 16:47 UTC
Well, not really, only the Dropbox thing
I don't think there's a big security reason not to, anyways
Josh Smith
@joshua-s
Jun 05 2015 17:23 UTC
since we allow localhost, should we also allow file:///
Daniel Huigens
@twiss
Jun 05 2015 17:24 UTC
Yes, I think so
Josh Smith
@joshua-s
Jun 05 2015 20:00 UTC
hmm, so I am not succeeding in filtering window.opener.location with regexs
apparently, I cannot access window.opener.location.*
Daniel Huigens
@twiss
Jun 05 2015 20:44 UTC
You could send a postMessage from the opener and look at messageEvent.origin
Josh Smith
@joshua-s
Jun 05 2015 20:47 UTC
We would need to post a message to * to let the app know it's ready and then post one back with the origin
Daniel Huigens
@twiss
Jun 05 2015 20:52 UTC
Yes, that works too
Daniel Huigens
@twiss
Jun 05 2015 21:37 UTC
Soo, two questions
Josh Smith
@joshua-s
Jun 05 2015 21:37 UTC
Sure
Daniel Huigens
@twiss
Jun 05 2015 21:37 UTC
There are now multiple things in the firetext folder that aren't really needed for a production bundle
Although really, the only one that's important is the automation exe
Important as in, large
And second
Josh Smith
@joshua-s
Jun 05 2015 21:39 UTC
Yeah. I manually remove all of those files/folders. Hoping to get a build process sometime.
Could be as simple as a bash/shell script
Daniel Huigens
@twiss
Jun 05 2015 21:40 UTC
It would be nice to have a single minified css and a single js file, I think that would be better for performance
Josh Smith
@joshua-s
Jun 05 2015 21:40 UTC
Oh yeah!
Less requests
Daniel Huigens
@twiss
Jun 05 2015 21:41 UTC
So, what would the script do exactly? Create a build directory?
Josh Smith
@joshua-s
Jun 05 2015 21:43 UTC
That is what most do. We could (in order):
  • Add keys (e.g. Splunk Mint key)
  • Concatenate js/css
  • Minify js/css
  • Zip necessary files
  • output in /build
What do you think?
Eventually, we could add testing too
Daniel Huigens
@twiss
Jun 05 2015 21:56 UTC
Yep, sounds good. It would be nice if we could keep the development cycle short though for those who test from localhost (not me currenlty sadly). E.g. ideally keep building < 2 seconds if possible.
Or not require building at all obviously
Josh Smith
@joshua-s
Jun 05 2015 21:59 UTC
That's a great goal
btw, it works without localhost right now
Daniel Huigens
@twiss
Jun 05 2015 22:00 UTC
Lol at "That's a great goal"
That's a great goal twiss, keep believing
:)
no, jk
Josh Smith
@joshua-s
Jun 05 2015 22:01 UTC
Oh, I wasn't meaning it that way, sorry
Daniel Huigens
@twiss
Jun 05 2015 22:02 UTC
I know :)
But it might come to be true though, 2 seconds is a short time
What do you mean with "it works without localhost right now"?
Josh Smith
@joshua-s
Jun 05 2015 22:55 UTC
Oh ok :)
I am running in firefox without using a local server
e.g. just opening firetext through the file:// protocol