Replies: 2 comments
-
|
hi @Benji81, thanks for suggesting. I'm not familiar with this FF. Is it for the deck.gl chart editing? |
Beta Was this translation helpful? Give feedback.
-
|
Yes @junlincc it is for deck.gl . I do not know if other charts allow embedded JS. My pain points: The ENABLE_JAVASCRIPT_CONTROLS option says that it is disabled by default because of XSS possibility if a bad user includes malicious JS in a chart. In my usage, I have some trusted users and some untrusted users. My trusted users are "power users" that need to add some JS in their charts for tooltip on map for example. They ask me if I can enable this feature. What I do not want is to also enable that feature for untrusted users because theoretically, with XSS, they could write a JS to stole session/cookie of any user that would display a malicious chart. It would be very dangerous if this session/cookies are those of a power user with extended permission or an admin. Add this as a permissions should solve this by adding this feature to a "role" for power user and not adding them to the "standard user" role |
Beta Was this translation helpful? Give feedback.
-
Hello,
ENABLE_JAVASCRIPT_CONTROLS is actually a global configuration flag. It would be great if we can give access to that feature to some users/groups through the roles permissions.
Thus we could have trusted users with this great functionality and it would be disabled for others.
Beta Was this translation helpful? Give feedback.
All reactions