Developer
Intros How it works API reference Turbo CSS Blog Simplified .ContentSecurityPolicy rules Sessions Create components from code Send emails to any address Script attribute: crossorigin Script attributes Introducing Turbo UI Named buckets Turbo CSS is Tailwind CSS on steroids Introducing Turbo CSS, the most advanced web-design language Collaboration settings Filesystem and Database are not cutting the problem space right What I'm working on 64bit File node IDs Write your own website builder on top of Boomla On On composition A filesystem to replace your CMS New file link type: scope Inline file wrapping changed Package sandboxing New PHP-like JavaScript engine [sjs-4e] Send emails to the website owner New JavaScript engine [sjs-4] Glossary and other changes Boomla goes multiplayer Using local dev tools Why Boomla doesn't need Git Improved sjs-3 API CSS modules Work offline with Boomla Supporting CommonJS modules  Paranoid about loosing data IDE usability improvements Flow control from user space Contextmenu support for apps Deprecating the .Class file Embedding 3rd party plugins Introducing Tools Installing apps just got amazing Host on our servers Simple deploy with push/pull Version Control for the Web 350M files on a 1TB disk 2 weeks in review
Developer
Intros
How it works
API reference
Turbo CSS
Blog
Warning: the .Trust file was superseeded by the .ContentSecurityPolicy file.

 

Embedding 3rd party plugins

2016-10-02

As of Boomla v0.3.0, you can embed 3rd party plugins into your pages, like Youtube videos, Google Maps, Disqus comments, Google Analytics, etc.

Our solution is both safe and simple.

Example

To enable Youtube videos, you have to

  • place a file named .Trust (dot, uppercase!) into the file referencing the video,

  • with the contents www.youtube.com.

  • Coomit your changes. That’s it!

Same goes for other services, just use different domains. If you need to reference more domains, just put them on new lines.

The rest of this document is only for tech savvy people.

 

----

 

How it works

What you are editing via the .Trust file is the Content-Security-Policy HTTP header your website is returning in every request.

If you are familier with Content-Security-Policy directives, you can specify directive values more specifically. For example, to enable loading Bootstrap from CDN, you could write

 

script-src maxcdn.bootstrapcdn.com; style-src maxcdn.bootstrapcdn.com

While it’s nice to be more specific, it often means you have to do more research on what a service needs, and you are going to enable everything it need anyway, so what’s the benefit of the extra work?

For that reason, you can instead just write maxcdn.bootstrapcdn.com and Boomla will expand it for you with the proper syntax.

Commit

Note that you must commit your .Trust file to take effect. Here is why. Assume your website is compromised and a hacker succeeds in placing a malicious script with a .Trust file on your site. That script (virus) will not work so long you haven’t approved it. When commiting, you will be prompted about any additions to your .Trust files. Thus, to hack your site, hackers will need your permission!

So, Boomla will only trust external vendors which are present in your latest commit. Note that if you have multiple Youtube videos, you will not need to commit every single .Trust file. Having one commited is enough.

Writing apps

If you are writing or using a Boomla app that relies on 3rd party services, you can add the .Trust file centrally to your app, so you won’t need to enable every single file of this file type. If you are to install the app, you will also need to commit the .Trust file.

Keeping things in order

Note that Boomla is not using a central file to enable Content-Security-Policy directives. This is crucial, because this way you will not need to do extra adminstrative work when installing or uninstalling apps, or removing a content that was trusting a 3rd party service provider. The trust will be removed with the content or the app.

Keeping your website fast

Note that the Content-Security-Policy HTTP header will only be populated according to .Trust files that are relevant to the response. This means any files that were rendered on the page and any apps that were used for rendering them.

 


Cheers,

Tibor Halter
Tibor Halter
you can follow me on Twitter
Deprecating the .Class file Introducing Tools
Subscribe to the Boomla newsletter!
Platform
Boomla Store Website Builder Changelog Status
Learn
Intros How it works API reference Turbo CSS Glossary
Company
Contact Support About
Get involved
WishList