jquery.cookie.js triggers default Apache mod_security rules
Not a problem
- Need more info
- Not a problem
- Temporary fix
- Analyzing
- Working on it
- Solved
in Developing jQuery Core
•
7 years ago
"jquery.cookie.js triggers default Apache mod_security rules"
I believe this issue almost doesn't need any introduction anymore since it exists for quite a while now (> 1 year). If not, Google for it. It amazes me that the developers from jquery do not pick this up and just change their filenames to follow up on indirect advice from the default mod_sec rules. Personally, I get the impression that the developers do not take cross-side scripting and security seriously. Which I dare to doubt so hard working developers: do not feel offended by this message. It is meant as an advice.
This issue can simply be fixed by changing the filename jquery.cookie.js to jquery_cookie.js or jquery-cookie.js. That's all!
jQuery cannot expect that everybody has to change this themselves since it should come out-of-the-box. Now hosting providers, like me, have to adjust the default mod_sec rules and create a security hole because the core developers refuse to follow these rules. I believe this is world upside-down and I think the assumption can be made that the creators of those mod security rules know what they are doing. Besides the fact that it is asking for trouble to use more than one period in your filenames... obviously.
So my request is, and I am sure all jquery users will agree on this, please change the filenames.
1