Need help? Check out our Support site, then


Wouldn't it be cool if hosted sites could run JavaScript?

  1. Not a complaint, but rather a suggestion. I get the reticence on
    Wordpress' part to allow hosted users to post ads. On my site, we paid for the No Ads option, because we specifically <i>don't</i> want ads.
    Here's the thing. The Web is literally crawling with tons of content
    <i>related</i> to our topic, and that content is available in Javascript
    form. Things like calendar widgets, counters, petitions etc. Could there
    be a way that Bloggers could benefit from that content, if it could be
    demonstrated that a) the code is harmless, and b) that the code does not
    contain any 3rd party advertising?

    The blog I need help with is deafinprison.wordpress.com.

  2. No it wouldn't be cool. It would be a HUGE security because this is a multiuser blogging platform ie. our blogs are not free standing they are all on the same multiuser blogging platform.

    Blogs are served from {name}.wordpress.com. The WordPress cookie is delivered to any site that ends in wordpress.com. Any Javascript on the page is legitimately allowed to look up cookies that would be sent to the domain it’s served from.

    This means that if you can run Javascript on a hosted WordPress page, you can retrieve the login cookie from another WordPress user, and then pass it to an external site. (Generally by creating an image reference that includes the encoded login cookie.)

    This is just a basic part of the underlying technology of the web browser, and it’s required for sites like gmail, Yahoo!, and others to operate.

    There are ways a site can avoid this problem (generally by constantly changing the login cookie data with EVERY response, and invalidating the old ones immediately), but they require more horsepower on the backend than the blogging sites are really able to provide, and there’s still usually a small window of opportunity.

    This is why Livejournal, WordPress, and most other hosted sites disallow Javascript. http://onecoolsitebloggingtips.com/2007/10/08/why-javascript-is-a-security-risk/

  3. Thanks for responding. I realize that there are always ways that unscrupulous types can mess up a good thing. My whole deal is about getting active content onto my page. It would be nice if we could figure out a way to defeat that cookie thing, somehow.

  4. I'm sorry but this idea is bound to be a no go at WordPress.com. However, self hosted WordPress.org installs are free standing sop if you hire a web host and set up a WordPress.org install then you can use JavaScript because the only security at issue is on your own install. If there is a security issue on a WordPress.org install then one site goes down and not a whole whack of sites as would be the case if JavaScript were allowed here at WordPress.com.

Topic Closed

This topic has been closed to new replies.

About this Topic