I found this in the source code:

BLANK_IMAGE_URL:"http:/"+"/extjs.com/s.gif"

Can someone explain what the BLANK_IMAGE_URL is used for, and why the developers felt it necessary to make it harder to find by splitting the string?

I don't mind "call home" code if it can be disabled, but I think it's outright rude to put this in without making it optional, and without it being documented.

http://extjs.com/learn/Ext_FAQ#My_code_links_to_extjs.com.2Fs.gif

Please give the forums a search before posting. You may also wish to check out the FAQ.

The string is split to avoid a bug in the comment stripper we use which thinks http:// is a comment.

Actually, I did, but s.gif gets a LOT of hits. :)

BTW, it seems it might be better to assume ../images works, as the css files do. After all, they are all hard-coded as ../images/... paths.

OR fail to run unless the path is set properly.

That's different. You can't assume people are putting it in ../ or /, as it says in the FAQ. You'd end up getting the opposite problem with people posting saying how "everything looks weird" and we'd be pointing them to the same FAQ item.

Similarly, failure to run isn't really a good idea. A lot of people would say "why is this happening" and just stop using it.

The best out of the box solution is to have it "just work." Those that are concerned will fix it as they need to.

It's hard to fix something that isn't known to be broken. I found it by watching my outgoing traffic in firefox. There's got to be a better way.

The css files DO use ../image as a prefix, so some hard-coding is apparently ok.

Lastly, if every example set this, and tutorials all mentioned it, perhaps this would not have been a shock.

I'm not tossing blame here, and I'm sorry I jumped on the issue as evil-call-home stuff. That said, as a developer and privacy fanatic I would rather not have my development URLs spread across the world in the form of referring URLs to http://extjs.com/. I would rather have the application get nothing and look bad -- or have a message that says "You forgot to set Ext.BLANK_IMAGE_URL, you dolt!" appear in my web page than have it fetch an external file.

It's slightly different for CSS. The by using ../, it assumes that the /css and /images folders will be side by side. It makes no assumption about where the folders will sit on the server.

The issue has been discussed a fair amount of times (maybe 50 or so posts?), however the majority of people don't really care and it doesn't impact them. For those that do, it's pretty easy to fix. The possibility of a warning message might be ok, but it could still put some users off.

I dont get what the big deal is


My code links to extjs.com/s.gif

Somewhere at the top of your code you should place a line like the following one, that tells Ext where to find the empty image it needs for some widgets (preferably from your own server/domain). Modify the URL as needed:


So change the URL to you're site domain and where you are hosting the s.gif you seem to think its been placed there for tracking of ExtJS use, which is totally wrong...

The issue has been discussed a fair amount of times (maybe 50 or so posts?), however the majority of people don't really care and it doesn't impact them. For those that do, it's pretty easy to fix. The possibility of a warning message might be ok, but it could still put some users off.

Compared to the security hole I consider it... At least a privacy issue it is, I'd choose the warning message.

Please don't make me have to send in a CERT on this. There have been other information leaks like this in other frameworks that seem harmless on the surface but leak EVERY url in a web server unless someone notices the issue. This is no different than those.

Compared to the security hole I consider it... At least a privacy issue it is, I'd choose the warning message.

Please don't make me have to send in a CERT on this. There have been other information leaks like this in other frameworks that seem harmless on the surface but leak EVERY url in a web server unless someone notices the issue. This is no different than those.

I don't see how it's an issue at all, you change it to point to your local image folder as recommended by ExtJS and away you go, if you choose not to its hardly Ext's fault.

Even the name of the var gives away what its there for Ext.BLANK_IMAGE_URL - hmm could this be for a 1px transparent gif?!

But where is this recommended, exactly?

http://extjs.com/learn/Tutorial:Introduction_to_Ext_2.0 does not mention it.

http://extjs.com/learn/Tutorial:Playing_With_Ext_The_Easy_Way does not either.

Going to the API there is no "recommended settings" section. Even the description of the option ends with "Defaults to http:..." due to the truncation, so it must be expanded to see what it defaults to.

The FAQ topic is not called "recommended settings" either, it is titled "My code links to extjs.com/s.gif" -- So, unless you know it is doing this, it's unlikely one would actually find this topic. I searched for "extjs.com/s.gif" using the forum search, and got over 500 pages.

Look at it from a new user point of view, not one who already knows where to find the topic.

Go look at the documentation for the Ext class:

BLANK_IMAGE_URL : String

URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server). [emphasis added]

This isn't a security issue, and it's not a privacy issue either. It's an issue of not reading the documentation. I've also seen several examples posted where the comments say explicitly to change the blank URL so that your applications aren't contacting the extjs.com domain at every request. If you want to use a relative URL, this one works:

Ext.BLANK_IMAGE_URL = '../../resources/images/default/s.gif';

But it's a little panicky to make accusations about privacy or security issues when all you need to do is check the docs.

so it must be expanded to see what it defaults to.
Is that really a problem?

Look at it from a new user point of view, not one who already knows where to find the topic.

I am a new user and didnt get overly confused with it, it could'nt be more clear what its there for i mean the name says it all BLANK_IMAGE_URL not SUPER_SECRET_SPY_URL.

Here is an example. Perhaps this will show you what I mean.

Note that this is the magic image Google uses to track web pages, and this was installed by the admin of extjs.com. This is an EXAMPLE, not saying google here is a threat.


Host www.google-analytics.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Accept image/png,*/*;q=0.5
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://extjs.com/forum/showthread.php?p=140503

As you can see, the web site www.google-analytics.com, is being sent these HTTP headers. Part of this is the URL of the page you are viewing.

Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.

If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.

I do not think the admin of extjs.com are evil, nor are the developers. I do believe this is a serious issue, however, and not one to lightly dismiss as "read the docs." Too much software is insecure out of the box, and no one reads all the docs before they dig in. If the getting started guides all say to change this option when working on things, that'd be great -- but they do not. No books I've looked through discuss this option, but most discussed extjs v1.x, so perhaps this was not an issue in that version.

I have not seen setting this option in any of the online examples posted on the extjs.com site NOR in any forum posts showing examples NOR in any other example code.

Is the final word from developers that this is not really an issue?

Now, if this were your application and you did not change the rather hidden Ext.BLANK_IMAGE_URL option, it would send a similar request to extjs.com instead, with your page's URL in it.


I hate to give this thread any more attention, but, Ext.BLANK_IMAGE_URL is not hidden. A brief search of the forums, read of the FAQs, or look in the API (http://extjs.com/deploy/dev/docs/?class=Ext&member=BLANK_IMAGE_URL)tells you it's not "hidden". Most of the examples people post in the forums have that as one of the the first lines.
URL to a 1x1 transparent gif image used by Ext to create inline icons with CSS background images. (Defaults to "http://extjs.com/s.gif" and you should change this to a URL on your server).

skandragon,

Ext.BLANK_IMAGE_URL is an image not a webpage. It can't load the google analytics JS.

As I stated in my previous post on this thread - search the forum. The reason behind why it must be an absolute URL has been explained. If you have the time to do the research to write your previous post accusing us of spying, you also have the time to do the research to find the post explaining why it must be an absolute URL.

Anyway, I have searched for the thread for you. It was the 4th thread in the list (following this one) when searching for BLANK_IMAGE_URL and included "purpose of s.gif" in it's title.

http://extjs.com/forum/showthread.php?p=127234#post127234

This thread is closed.

If you are a good developer the URL won't have anything special. However, if you are not so great, or using email links to log people in or otherwise using tokens in the URL, extjs.com now gets these tidbits.
So you're saying that this is a potential security issue because someone who is not a good programmer and who hasn't read the documentation might inadvertently cause their URL to show up in the log files for extjs.com. I've been using Ext for less then a month and that was one of the first things I read about, I'm not sure where but it had a comment from Jack himself I believe about changing it. But I can't find where I read that, so it might be good to add a mention about the property in the getting started guides.