Safe way to allow scripts
Short, concise description of the idea
Most popular browsers will only give cookies to scripts and embeded objects such as Macromedia if they are hosted from the same domain that set the cookie. Hosting comments and posts from seperate domains would prevent embeded objects from accessing the cookies.
Full description of the idea
I actually have 2 ideas for implementation. Both have positives and negitives.
My first idea, the harder to implement, would require posts and comments to be hosted off another domain(subdomain should be sufficient) and iframed from the page that checks the cookies. There are a few methods of doing this that I have thought of. You can set a cookie at the other domain so you can tell the two connections are together or request the pages from the other domain with ?reqid=id, again so the other domain knows what to give the iframe. They could be from the same server even.
My second idea, which is considerably easier to implement is instead of putting the username and password in the cookie, put a hash with time stamp and store this hash in a data base and on the cookie. You can then know who each user is and unless the embeded object has access to db it can't either.
Because scripts and embeded objects can change a page considerably it should be up to the journal owner about scripts and objects in comments as well as a view without.
- The benefits for both suggestions is embeded objects and scripts can be put in posts and comments.
An ordered list of problems/issues involved
- Problem with the first implementation is it requires a massive code rewrite as well as rewriting skins. This method may not be worth it, but it is an idea.
- The problems involved with the second solution is deciding how long to store the hash value as well as it will require a rewrite of the current code, but it will not require rewrite of skins.
An organized list, or a few short paragraphs detailing suggestions for implementation
- See above.