[wp-hackers] Advertising on plugin pages

Heiko Rabe heiko.rabe at code-styling.de
Sun Mar 1 21:36:22 GMT 2009 

That javascripts potentially injected into backend pages can't directly 
communicate to an other host than the admin is running because of "same 
origin policy".
They will at least need to be inside an iframe (as known as from googles 
adsence program) or be able to call the WordPress plugin itself as 
proxy, which is rounting the calls to the intended origin and returns 
back the answers.
In such cases (proxy behavoir) this plugin and also the transmitted 
ad-ware can spoof this interface (if it can be studied as source level) 
and drop any PHP code or prepared images with inplace script code that 
IE runs as example.
Futhermore any call to third party transmits automatical IP, hostname 
and if coded much more data out of the blogs domain and could also be 
used to transfer much more confidential data as expected.
You will run into the fact that developers will disassemble the entire 
plugin code to be sure, nothing unwanted will be transmitted. Such time 
wasting effort would force me to drop such a plugin and search for an
ad free solution or to rewrite it without ads.
As 2nd point, some Blogs are configured to deny any outside access from 
backend (blocked by provider or for own security reason) and this may 
lead to request delays and time gaps while 3rd party is unreachable.
And also keep in mind, if something of this interface can be abused, you 
would get at lot of flame articles on the web, that you are the reason 
for blog intrusions.

I will not condemn any ads needed to earn so money for free plugin work, 
but i think it's not worth to place it at backend pages.

Heiko Rabe
(http://www.code-styling.de)
>> Dynamic advertising on a page within the admin sounds like 
>> a bad idea, you are injecting html/javascript from a third 
>> party into the trusted area of the system.
>>     
>
> Although I'm not sure I'd want to see ads in the admin console because its a potential slippery slope, I wonder why it would require "injecting html/javascript from a third party?"  It seems that it could work like this:
>
> 1.) A scheduled event in the plugin checks a web service on the plugin author's site for a new ad image.
> 2.) If found the scheduled event downloads the new ad image to a local directory.
> 3.) The ad image is displayed from the same domain as the site with a simple hyperlink.
> 4.) When the ad is clicked it routes thru a click tracker on the plugin author's site and then on to the advertiser's site.
>
> How does that create an issue with a trusted area of the system?
>
> -Mike Schinkel
> http://mikeschinkel.com/
>
> P.S. I think Joost is asking a broader question: Have can a plugin author generate a revenue stream to support his efforts that doesn't require him or her to constantly do client-focused consulting and instead better target the needs of the general plugin user?  If we could come up with a community-acceptable way that can generate real income for plugin developers w/o retarding the open-source aspects that make the WP community so vibrant and valuable, this could benefit most on the hacker's list, no?
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>

More information about the wp-hackers mailing list