[asterisk-gui] interface to list of providers

Klaus Ruebsam k.ruebsam at gmx.net
Thu Aug 28 15:48:37 CDT 2008 

How about a

------------------
Feature request:

Additional Field somewhere underneath 

Options -> General Preferences

By default pointing to the JS-file at DIGIUM. But everyone may be free to
wget that JS-file manually, place it somewhere on his own web-server and
change the above entry field to point to that own webserver. IMHO the
corresponding value (URL) should be stored somewhere within
/etc/asterisk/http.conf

Action required:
1. Add additional variable within http.conf somewehere underneath the
[general] section, let´s call it

providersinfo = https://gui-dl.digium.com/providers.js 

No change within Asterisk itself required as variable gets only read by the
GUI


2. Wihtin the above mentioned menue-section of the GUI an additional
inputfield (keep it long enough) plus a button, named "Default" or "DIGIUM"
that would overwrite the field with
"https://gui-dl.digium.com/providers.js". The JS-file as of the release date
of the GUI version used, may additionally be saved (during installation of
the GUI) somewhere underneath http://myasterisk:8088/asterisk/static/config/
making an additional and initial wget of the file no longer necesary.
------------------

How about that one? That should make all of us happy, shouldn´t it? And
implementation shouldn´t be that difficult.


Best regards,

Klaus



-----Ursprüngliche Nachricht-----
Von: asterisk-gui-bounces at lists.digium.com
[mailto:asterisk-gui-bounces at lists.digium.com] Im Auftrag von bkruse
Gesendet: Donnerstag, 28. August 2008 21:00
An: Asterisk GUI project discussion
Betreff: Re: [asterisk-gui] interface to list of providers

The whole idea behind this is that we _can_ push updates of Service
Providers.

We will test this internally, but it is better than the alternative (having
a provider that does not work when they are certified to work)

Not to mention this will rarely happen.

As far as the remote thing, it is an equiv of a "wget", what about when you
go to sites and you see "request pages from analytics.google.com", or
requesting advertising javascript files. If you are worried about javascript
security, and your overall security, there are much better, and more
vulnerable, places to start at.

-bk

Pari Nannapaneni wrote:
>> Not to get into semantics:
>>
>> The obvious fact is that the local page gets information from a 
>> remote page. For the purpose of usage statistics, maybe even a simple 
>> data file or an image would do the same.
>>     
>
> Sure, i think having discussions about any security/privacy concerns are
always a good thing.
>
>   
>> This still does not address the original issue.
>> Also note that the URL should be HTTPS or use some other equivalent 
>> messure to protect from DNS spoofs and such.
>>     
>
> It is a HTTPS URL with a valid SSL cert.
>
> thanks,
> -Pari
>
>
> ----- Original Message -----
> From: "Tzafrir Cohen" <tzafrir.cohen at xorcom.com>
> To: asterisk-gui at lists.digium.com
> Sent: Thursday, August 28, 2008 1:11:28 PM GMT -06:00 US/Canada 
> Central
> Subject: Re: [asterisk-gui] interface to list of providers
>
> On Thu, Aug 28, 2008 at 08:40:45AM -0500, Pari Nannapaneni wrote:
>   
>> Hi Tzafrir,
>>
>>     
>>> 1. Privacy implications
>>> Every time I use this configuration page, it reports home. 
>>>       
>> "reports home" would be kind of a strong word.
>>
>> I would agree with what you said,
>>  [A] if there is 'a banner-Ad script served from a 3rd party website" 
>> in the gui  [B] if the gui had some third party scripts like "google
analytics"
>>  [C] if the script is a mashup 
>>      I don't think this really qualifies as a 'mashup', as there is NOWAY
the script
>>      can read any of your cookies set by other websites. 
>>      - Unless you are embedding the gui in someother website via an
iframe.
>>  [D] if the script served is obfuscated using some javascript 
>> obfuscator  [E] OR if the script makes any XMLhttprequest to Digium or
some other website.
>>
>> Its straight forward javascript file, like the rest of the scripts in the
GUI.
>>     
>
> Not to get into semantics:
>
> The obvious fact is that the local page gets information from a remote 
> page. For the purpose of usage statistics, maybe even a simple data 
> file or an image would do the same.
>
> A quick grep before posting this message showed me that this was the 
> only case of such a "remote" content.
>
> It also means that part of the functionality is not available if the 
> system has no internet access (or is behind a very strict firewall).
>
>   
>> The only difference being that it is loaded from a different URL, and 
>> the GUI tells the same to the user and loads the script only after 
>> taking a confirmation from the user.
>>
>> Yes, the webserver's log file will contain a bunch of IP addresses 
>> which requested the js file, but thats like saying "i won't use VOIP
because the person on the other end might know my IP address".
>>
>>
>>     
>>> 2. Untested code
>>> This feature means I run a whole bunch of javascript code from a 
>>> remote site. Later on some modifications in that page may break my 
>>> page and I would not even be aware of that.
>>>       
>> We will see what we can do about this.
>>
>> Right now, the providers file is on a different svn repository.
>> I will see if there is a way to somehow move the providers script 
>> file into the gui repository, so that any changes made to the file 
>> would be public.
>>     
>
> This still does not address the original issue.
> Also note that the URL should be HTTPS or use some other equivalent 
> messure to protect from DNS spoofs and such.
>
>   


_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-gui mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-gui

More information about the asterisk-gui mailing list