With 1.6, I need to enable javascript trust for piclens.com in order to start the slide show.

Is this really necessary?
What about running this module on an intranet site which should be closed and not unnecessarily communicate or send requests to external sites?
It would be acceptable to have piclens.com/cooliris.com links inside the piclens view, but I am getting worried about this requirement. What does the script do?

Is Piclens.com collecting information about which sites and image names are using piclens? I assume they collect some information.

What can be done on a intranet to ensure that the titles of images are not possible to get to?
I see that this is also a general setting about trusting piclens.com for different reasons, for example visiting/using their web site. So it may be that we want to trust that site anyway.

But the script should NOT connect to them when we are simply using Piclens on an internal site.
There should be no communication initiated by this module towards piclens.com, I think. It is ok to have links to those sites from inside the slideshows, but no script activity...

I would like to know why that script needs to comunicate with piclens.com.

Comments

swentel’s picture

swentel commented
Status: Active » Fixed

Hi Daniel,

That's the first time I hear about the need to allow javascript trust.

What the javascript does is simply this: PicLens Lite support. If a user doesn't have the piclens extension installed in his browser, the script will try to load
1) a flex application which reads in the mediarss feed and displays the pictures in the flex application
2) lightbox if the user hasn't the proper flash requirements.

So, to put it simply, it's not necessary to enable the the javascript inclusion and link into a site if you don't want that. You can safely disable that option. The only thing that will work then is if a user has the cooliris/piclens extension in his browser.

It's been a while since I've actually looked at the javascript itself, it's not yet stable enough to let people download it, because cooliris/piclens is making still a lot of changes to it.

Hope that answers your question and conceirns a bit, marking this issue as fixed, feel free to reopen.

Leeteq’s picture

Leeteq commented

Hi, I just saw that it was related to these two checkbox options:

- PicLens Lite javascript for image galleries.
"Toggle this checkbox to add support for PicLens Lite.
This will add javascript into the content region of your document."

- PicLens Lite link for image galleries.
"Toggle this checkbox to add a link as a drupal message to start the PicLens Lite slideshow.
You can also manually add this link in your template, see README.txt for more info."

Ok, so I can disable them.
The unfortunate consequence is that the Start Slideshow link/arrow on top of gallery pages disappears...
Even if I never got that link to work, it would be very nice if it did, and without a dependency on a script that needs the mentioned trust for external sites, but that would perhaps be a feature request?

swentel’s picture

swentel commented
Category: support » feature
Status: Fixed » Active

I'll investigate the possibility to code a simple javascript which starts cooliris, but not the PicLens lite version. Marking this as active for now, more news on friday.

swentel’s picture

swentel commented

Daniel,

I looked again at some specs from PicLens and I see they modified the crossdomain.xml a bit, quite different what piclens module loads right now.

<?xml version="1.0"?>
    <!DOCTYPE cross-domain-policy SYSTEM
        "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
    <cross-domain-policy>
        <allow-access-from domain="*.cooliris.com" />
        <allow-access-from domain="*.piclens.com" />
        <site-control permitted-cross-domain-policies="all"/>
    </cross-domain-policy>

Could you create a crossdomain.xml on the root of your server and add above code in it. I want to verify if this will fix the javascript trust issue you are experiencing. I know there have been some changes lately in flash conceirning domain connections etc, so this might fix that issue.

swentel’s picture

swentel commented
Status: Active » Fixed

Updated cross domain policy in both D5 and D6 branch.
As for the javascript trust, I can't create a script that only checks for the extension, but looking at the existing javascript file seems sane, no evil stuff goes on in there.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.