These are chat archives for codexa/firetext

5th
Jun 2015
Joshua Smith
@joshua-s
Jun 05 2015 16:32
So, I've got a question
If any app can run on localhost, use a blob url, or set its ffos origin to be app://codexa.github.io/, is that really any more secure than *?
Daniel Huigens
@twiss
Jun 05 2015 16:37
Eh, no, not in that case, but we shouldn't allow blob urls, and we have to trust Mozilla that they won't allow other apps to use that origin
localhost is dubious, but if software has access to localhost they can do anything they want
Joshua Smith
@joshua-s
Jun 05 2015 16:38
hmm, ok
Joshua Smith
@joshua-s
Jun 05 2015 16:44
So, should we allow localhost?
Daniel Huigens
@twiss
Jun 05 2015 16:47
I think so, also because otherwise it would be hard for other to test Firetext
Joshua Smith
@joshua-s
Jun 05 2015 16:47
Ok!
Daniel Huigens
@twiss
Jun 05 2015 16:47
Well, not really, only the Dropbox thing
I don't think there's a big security reason not to, anyways
Joshua Smith
@joshua-s
Jun 05 2015 17:23
since we allow localhost, should we also allow file:///
Daniel Huigens
@twiss
Jun 05 2015 17:24
Yes, I think so
Joshua Smith
@joshua-s
Jun 05 2015 20:00
hmm, so I am not succeeding in filtering window.opener.location with regexs
apparently, I cannot access window.opener.location.*
Daniel Huigens
@twiss
Jun 05 2015 20:44
You could send a postMessage from the opener and look at messageEvent.origin
Joshua Smith
@joshua-s
Jun 05 2015 20:47
We would need to post a message to * to let the app know it's ready and then post one back with the origin
Daniel Huigens
@twiss
Jun 05 2015 20:52
Yes, that works too
Daniel Huigens
@twiss
Jun 05 2015 21:37
Soo, two questions
Joshua Smith
@joshua-s
Jun 05 2015 21:37
Sure
Daniel Huigens
@twiss
Jun 05 2015 21:37
There are now multiple things in the firetext folder that aren't really needed for a production bundle
Although really, the only one that's important is the automation exe
Important as in, large
And second
Joshua Smith
@joshua-s
Jun 05 2015 21:39
Yeah. I manually remove all of those files/folders. Hoping to get a build process sometime.
Could be as simple as a bash/shell script
Daniel Huigens
@twiss
Jun 05 2015 21:40
It would be nice to have a single minified css and a single js file, I think that would be better for performance
Joshua Smith
@joshua-s
Jun 05 2015 21:40
Oh yeah!
Less requests
Daniel Huigens
@twiss
Jun 05 2015 21:41
So, what would the script do exactly? Create a build directory?
Joshua Smith
@joshua-s
Jun 05 2015 21:43
That is what most do. We could (in order):
  • Add keys (e.g. Splunk Mint key)
  • Concatenate js/css
  • Minify js/css
  • Zip necessary files
  • output in /build
What do you think?
Eventually, we could add testing too
Daniel Huigens
@twiss
Jun 05 2015 21:56
Yep, sounds good. It would be nice if we could keep the development cycle short though for those who test from localhost (not me currenlty sadly). E.g. ideally keep building < 2 seconds if possible.
Or not require building at all obviously
Joshua Smith
@joshua-s
Jun 05 2015 21:59
That's a great goal
btw, it works without localhost right now
Daniel Huigens
@twiss
Jun 05 2015 22:00
Lol at "That's a great goal"
That's a great goal twiss, keep believing
:)
no, jk
Joshua Smith
@joshua-s
Jun 05 2015 22:01
Oh, I wasn't meaning it that way, sorry
Daniel Huigens
@twiss
Jun 05 2015 22:02
I know :)
But it might come to be true though, 2 seconds is a short time
What do you mean with "it works without localhost right now"?
Joshua Smith
@joshua-s
Jun 05 2015 22:55
Oh ok :)
I am running in firefox without using a local server
e.g. just opening firetext through the file:// protocol