I'm working on a module, and I would like to include some custom JS for the index page of the module on the admin side. The two applicable topics I can find are: viewtopic.php?p=854153 and viewtopic.php?p=872311. It appears that the way to add a static resource like JS is to use an absolute path, either by starting the URL with `/`, or by starting the URL with the full protocol and domain via the PHP constant. This definitely gets the job done, but it doesn't feel....... safe? Especially on the catalog side where no authentication is required, we're explicitly exposing internal file paths. Even if the server is properly configured to prevent indexing, it doesn't necessarily prevent brute-force requests to find other files in those paths. It seems like it would be more secure to disallow access to the extensions directory, and have static resources loaded through some sort of controller or otherwise whitelisted approach?
Perhaps this is a bigger question than just for extensions, but I thought I'd bring it up in the context I started with.
Who is online
Users browsing this forum: No registered users and 5 guests
