[mapserver-dev] Re: MapServer security issue
jhart at frw.uva.nl
Wed Nov 6 07:46:16 EST 2002
Another approach could be to look for the origin of the calling URL. If
that has same as the HTTP-address as the MapServer CGI, everything could
same sort of security: if you load a webpage into a subframe of your
browser, the other frames can only modify (or even read) its variables
if it comes from the same server; else it can only be displayed. You can
use the "document.domain" variable to widen the number of permitted hosts.
I wouldn't like to have a totally unscriptable "DATA" statement. It is
very usable when having lots of data files with only minor differences.
Without scripting "DATA" you would have to produce immense MapFiles. Of
course everything can be done be MapScript, but many applications don't
need all that horse power. Besides, many peope aren't able or permitted
to use PHP or Perl on their server.
A last argument for keeping MapServer CGI as scriptable as possible is
complete client-side Web applications (even for IE) without using any
HTML at all, just using the DOM interface. I have found this a very
valuable addition to MapServer's Perl/PHP/Java scripting.
More information about the mapserver-dev