WP Tavern › Forums › Create Topic
Christopher Now, if it downloaded the JS into the site as files and such, then that would be much trickier. There would be security concerns there. This quote implies that since the JS is being loaded from a CDN it is somehow more secure. My argument is that this is not accurate since the REST API provides CRUD access to your websites database. Maybe it’s time to reevaluate the definition of executable code? I understand it’s impossible to check every line of code from every plugin and theme. At the very least, I hope wordpress.org has automated malware and virus checks. With installed files (PHP or JS), I can easily scan my WP install for intrusions and look for modified files. JS loaded from an external CDN is exponentially more difficult for website owners to monitor. I don’t have all the answers for how to keep the repository secure, but I do know that opening the flood gates with CDNs is not the answer. It’s one thing to allow API usage from a FB, Twitter or Google CDN. They have funding for security experts and will suffer massive financial losses if there is a breach. It’s another thing to allow CDNs from services who have no publicly visible business or security models.
Christopher
Now, if it downloaded the JS into the site as files and such, then that would be much trickier. There would be security concerns there.
This quote implies that since the JS is being loaded from a CDN it is somehow more secure. My argument is that this is not accurate since the REST API provides CRUD access to your websites database.
Maybe it’s time to reevaluate the definition of executable code? I understand it’s impossible to check every line of code from every plugin and theme. At the very least, I hope wordpress.org has automated malware and virus checks. With installed files (PHP or JS), I can easily scan my WP install for intrusions and look for modified files. JS loaded from an external CDN is exponentially more difficult for website owners to monitor.
I don’t have all the answers for how to keep the repository secure, but I do know that opening the flood gates with CDNs is not the answer. It’s one thing to allow API usage from a FB, Twitter or Google CDN. They have funding for security experts and will suffer massive financial losses if there is a breach. It’s another thing to allow CDNs from services who have no publicly visible business or security models.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content