Google Places Map & Calendar - How I Got Them On My Site

13

Comments

  • brandofamilybrandofamily Registered Users Posts: 2,013 Major grins
    edited August 6, 2013
    Baldy wrote: »
    Sorry, Paul. We feel your pain, but when we become aware of security holes, we have to fix them as quickly as we can.

    I'm not computer/coder wizard so can you explain how allowing iframes or feeds to add this content a security hole?
  • AbigayleRayPhotographyAbigayleRayPhotography Registered Users Posts: 20 Big grins
    edited August 6, 2013
    Thanks for the replies, although it is completely unacceptable for this to happen! I have been with SM for nearly 3 years now using them just as my photo host, but was impressed with what I saw with the new SM and decided to convert SM to be my all in one website and photohost, and while I am glad to see the change that was made, in the end I believe was released too soon, after all, they just stated it was a security hole, well if they had tested properly prior this would have been seen! After the release is not the time to tweak the site while people such as myself are trying to get our sites live! What ticks me off the most is that I PAY for this service, yet I can not have what I want on my site? I mean really? a calendar, a map and a contact form? This does make me wonder what will happen next? I have been with multiple web host over the last 3 years and have never had this type of issue, whatever I wanted on my site was there. Now I have a half-a**ed site that semi works, looks real great to my potential clients, especially when they decide to hit the contact me tab and it doesn't work! I too think I may have to look into an alternative host now. Sorry for the rant, but I don't expect to have these things happening when I pay for the service, and if they (SM) fix this like other things, or the way they respond to questions lately then it will be a year until it gets done.
  • Darter02Darter02 Registered Users Posts: 947 Major grins
    edited August 6, 2013
    Sheaf wrote: »
    Sorry folks. I didn't see this thread until just now. The change wasn't done out of censorship, it was done to plug a potential security hole. We want to allow creativity on the new platform, but we have to do it in a safe and measured manner.


    Explain to me like I am five how this caused problems.
  • McQMcQ Registered Users Posts: 165 Major grins
    edited August 6, 2013
    Baldy wrote: »
    Sorry, Paul. We feel your pain, but when we become aware of security holes, we have to fix them as quickly as we can.

    Perhaps you can explain then why one of your support heroes directed me, via email, to the thread in which Paulbrock and Darter02 had posted the fix for the Contact Form issue?

    Is it a security hole when you guys direct us to a way to embed my Wufoo contact form into my site?

    And why, with all the time and effort you put into the new SM, did no one think of this beforehand?

    (support hero name deleted for privacy)
    AUG 06, 2013 | 08:33AM PDT
    Glenn,

    At the moment there is no possibility of putting more information to the new contact form, but some of our customers have found a way of embedding the wufoo form - please take a look:

    http://www.dgrin.com/showthread.php?t=237346

    I hope this helps! Please let us know if you have any more questions.

    Take care,

    (support hero name deleted for privacy)
    SmugMug Support Hero
    "Where have you gone, Joe DiMaggio, our nation turns its lonely eyes to you?"

    http://mcq.smugmug.com
  • paulbrockpaulbrock Registered Users Posts: 515 Major grins
    edited August 6, 2013
    Thanks Chris, Michael and sheaf.

    From Baldy's post on this issue elsewhere:
    Baldy wrote: »
    We've had to harden our security so unfortunately we can't support iFrames anymore. It's hard for me to imagine that photo hosts that do offer them can offer them for long.

    it sounds like their hands (and the hands of other photo hosts) are effectively tied.
  • paulbrockpaulbrock Registered Users Posts: 515 Major grins
    edited August 6, 2013
    I have been with multiple web host over the last 3 years and have never had this type of issue, whatever I wanted on my site was there.

    I think there is a different perception for some customers and Smugmug as to who is responsible for the site content and how should ultimately have control of it.

    The SM team obviously have some pretty serious concerns about various aspects of site content, and that seems to have led to tighter controls than what those customers are used to.

    They/we are then frustrated, wondering why we can't put whatever we want on 'our' site.

    Personally, I've considered Smugmug as much as a web host as well as a photo host, and I think the two have different expectations, both of acceptable content, and also control and responsibility for that content.
  • edshedsh Registered Users Posts: 27 Big grins
    edited August 6, 2013
    Hm, this is for sure a mixture of good and bad feelings. At first, very harsh, which led to my post about censorship and so on. And later a bit happier by reading that this JS-block is only temporary. I agree with Paulbrock; it's more about not telling your customers about the js block and all throwing all this vast effort of historic development down the river. And when we write to the support, we are told it's a definate decision and with no reason at all. It can hardly get more wrong in terms of customer agreements on that point and just to mention values like customer satisfaction. So, yes, it's really feels like a censorship manouver if you put it to the edge.

    So;

    Baldy; I was really happy to see that you've written that javascript will be allowed and that it is just temporary disabled. So to just clarify and get it final for all of us (and to bring some calm here): Do you hereby commit to the promise that we will get javascript again soon and for sure?

    Also,

    As you (SM) now have put an end to the iframe and the security whole, perhaps you can tell us the nature of the security hole was? It feels kind of groundless when just saying "it was a security hole...".

    And a last thing;

    Please give us customers a good heads up on when we can be "free" again ;) . Is this ETA days, weeks, months or years away?

    Thanks//Edsh
  • AbigayleRayPhotographyAbigayleRayPhotography Registered Users Posts: 20 Big grins
    edited August 6, 2013
    paulbrock wrote: »
    They/we are then frustrated, wondering why we can't put whatever we want on 'our' site.

    While we can agree to disagree, my point is I pay for this service, and as a paying customer I should not have to have things removed from my site. I am in no way violating their TOS, and again, we are talking a simple calendar/map/contact form, it was not some illegal hack that would land us all in prison, we were adding a simple RSS feed from our blogs that you can do on any other web host out there.
    Darter02 wrote: »
    Explain to me like I am five how this caused problems.
    And I again must agree with Darter02 on this one!
  • paulbrockpaulbrock Registered Users Posts: 515 Major grins
    edited August 6, 2013
    While we can agree to disagree, my point is I pay for this service, and as a paying customer I should not have to have things removed from my site. I am in no way violating their TOS, and again, we are talking a simple calendar/map/contact form, it was not some illegal hack that would land us all in prison, we were adding a simple RSS feed from our blogs that you can do on any other web host out there.
    !

    As I understand it, it was not that we had added forms/calendars/maps to our site. It was that the same process we had used would allow others to do something else (I'm not sure what) which would be bad news.

    reading between the lines I believe there are/have been quite a few security considerations related to the new design. Whether these are outright risks to the technical infrastructure, or ass-covering to prevent legal action, or something else I wouldn't know. but I think there's some sort of contraint they're having to work around for various aspects.
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited August 6, 2013
    Darter02 wrote: »
    Explain to me like I am five how this caused problems.

    We aren't going to get into technical details about security. Period. The bottom line is, we are not trying to censor you, nor will we be in. We are working on getting you the tools you need. It's the manner of how those tools are implemented that we aren't quite sure of yet.
  • edshedsh Registered Users Posts: 27 Big grins
    edited August 6, 2013
    In regards to JavaScript. It would be really interesting to see why that is a security issue. I'll try explain here what I mean and please correct me if you find it suitable.

    JavaScript is run on the client, I. E a user's computer. All necessary access tokens and system endpoints are automatically handed to the customer when logging in on Smugmug. They're even kind of handed over in clear text.

    As everything is publicly accessible with login tokens, then how is it a threat from a smugmug customer point of view? Using a Web browser, I can do any technical operation on your Api because it's all running on my computer.

    My point is, it sounds to me that we could all be seen as trusted smugmug even by this point of time. And we must because we're in an agreement with smugmug.

    Of course, by allowing JavaScript, freedom is full, both technically and all possibilities of Html are there to use (such as embedding iframes). So i guess that the case is more about specialized iframe attacks connected to authentication mechanics or such.. Or its just some other excuse.


    Anyways, I'm still hoping this is not only words from Smugmug.

    I really respect that you top managers join in and fives us some answers, thanks!
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited August 6, 2013
    edsh wrote: »
    In regards to JavaScript. It would be really interesting to see why that is a security issue. I'll try explain here what I mean and please correct me if you find it suitable.

    JavaScript is run on the client, I. E a user's computer. All necessary access tokens and system endpoints are automatically handed to the customer when logging in on Smugmug. They're even kind of handed over in clear text.

    As everything is publicly accessible with login tokens, then how is it a threat from a smugmug customer point of view? Using a Web browser, I can do any technical operation on your Api because it's all running on my computer.

    My point is, it sounds to me that we could all be seen as trusted smugmug even by this point of time. And we must because we're in an agreement with smugmug.

    Of course, by allowing JavaScript, freedom is full, both technically and all possibilities of Html are there to use (such as embedding iframes). So i guess that the case is more about specialized iframe attacks connected to authentication mechanics or such.. Or its just some other excuse.


    Anyways, I'm still hoping this is not only words from Smugmug.

    I really respect that you top managers join in and fives us some answers, thanks!

    Hi Edsh,

    To be honest, it's out of my paygrade. I come from a MySQL background. Worlds apart :D

    This is what I can tell you though. We are not going to open the flood gates for open JS. All JS implementations will be carefully designed and executed. We will be basing our JS future on what you, our valued customers, tell us you need. This is the plan, and this plan is not changing.

    Now, I can hunt down all the technical genius type people and write out a long winded answer, but it is not going to change our plan regarding Javascript. I don't know about you, but as a long time customer before I was an employee, I would much rather have those guys in the back building cool stuff we can use then writing out technical reasons for why we do and don't do certain things, which in the long run, is not going to change the plan at all, only delay it.
  • paulbrockpaulbrock Registered Users Posts: 515 Major grins
    edited August 7, 2013
    Oh I dunno. Here in London, the numerous announcements of delays on the underground /subway are always punctuated with a reason for the delay. Sometimes its signalling problems, sometimes its passenger action, sometimes it's weather related. Telling passengers why won't make the timetables get back on track any quicker. BUT it makes those problems more palatable for the customers....

    (of course they don't go into exactly what wire broke on which signal box !)

    Sent from my GT-I9100 using Tapatalk 4 Beta
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited August 7, 2013
    paulbrock wrote: »
    Oh I dunno. Here in London, the numerous announcements of delays on the underground /subway are always punctuated with a reason for the delay. Sometimes its signalling problems, sometimes its passenger action, sometimes it's weather related. Telling passengers why won't make the timetables get back on track any quicker. BUT it makes those problems more palatable for the customers....

    (of course they don't go into exactly what wire broke on which signal box !)

    Sent from my GT-I9100 using Tapatalk 4 Beta

    But, I did tell you the reason why the train isn't running.
    mbonocore wrote: »
    We are not going to open the flood gates for open JS. All JS implementations will be carefully designed and executed.

    I can go get the conductor to come out and explain in great detail why the train isn't running, or he can stay in the cabin and work to get the train running. :D

    I am not trying to be difficult at all Paul. I actually love chatting with you guys. But I am telling you that we will be building tools, implementing JS, etc that you guys need in a carefully designed way. That is the it. We can continue to go around in circles (which I have zero objection to doing) or you can lay out everything you need so I can put it together and bring to my Product and Engineering teams.
  • edshedsh Registered Users Posts: 27 Big grins
    edited August 7, 2013
    mbonocore wrote: »
    Guys, let me repeat what Baldy said in a post this morning

    "As for JavaScript, this message keeps getting buried with all the traffic, so feel free to refer to it when people ask in various threads: we planned to include it in this release and like you we were disappointed when we couldn't pull it off. But we have to do it responsibly and that's a very big challenge, hence the reason it's so hard to come by on photo hosting sites.

    I think what you'll see is trusted customizers using JavaScript first, not because we have some financial relationship with them, but because the deployment is difficult and we want to get our feet wet with them first."

    Hi Mbonocore, now I'm really confused. In one post you say that your president will allow JavaScript, and suddenly with all the efforts, you say you definitely won't.

    So how is i??? And in regards to your argumentation:sure, it's easier for non expert users to get a tool box with stuff. But problem is, this tool box has tools which is really limited in many ways, and who will suffer?? = everybody in the chain from client to customer to smugmug...

    We're really back to the censorship perspective again *sigh* because, no js security exist for simple tuning.. And the perspective is strengthened so much when you say, let's be elite as well and let only trusted companies have js access (read fastlinemedia)...

    So what is the requirement to be a Trusted Smugmug?
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited August 7, 2013
    edsh wrote: »
    Hi Mbonocore, now I'm really confused. In one post you say that your president will allow JavaScript, and suddenly with all the efforts, you say you definitely won't.

    So how is i??? And in regards to your argumentation:sure, it's easier for non expert users to get a tool box with stuff. But problem is, this tool box has tools which is really limited in many ways, and who will suffer?? = everybody in the chain from client to customer to smugmug...

    We're really back to the censorship perspective again *sigh* because, no js security exist for simple tuning.. And the perspective is strengthened so much when you say, let's be elite as well and let only trusted companies have js access (read fastlinemedia)...

    So what is the requirement to be a Trusted Smugmug?

    I never said we definitely won't allow JavaScript. I said "We are not going to open the flood gates for open JS. All JS implementations will be carefully designed and executed. We will be basing our JS future on what you, our valued customers, tell us you need. This is the plan, and this plan is not changing."
  • edshedsh Registered Users Posts: 27 Big grins
    edited August 7, 2013
    mbonocore wrote: »
    I never said we definitely won't allow JavaScript. I said "We are not going to open the flood gates for open JS. All JS implementations will be carefully designed and executed. We will be basing our JS future on what you, our valued customers, tell us you need. This is the plan, and this plan is not changing."

    Hi MBonocore,

    Thanks for the reply. I'm starting to feel that we see javascript from different perspectives. When you say that you will allow JS implementations.

    1. Do you mean that the aim is for us smuggers to add our custom javascript logic,
    2. or do actually mean that you will implement a configuration on a building block which runs a javascript logic which you've implemented?

    If you mean what I mean, i.e. first option that we smuggers can add our own custom javascript codes, the only technical control you could have in your system is to strip specific parts of the custom javascript code. That will for sure be a very complex and cumbersome issue in your development.

    I am not trying to go in circles about this, just want to clarify this case because I think its a really harsh one which might have large bad effects for all parts involved (smuggers clients drop offs, smugmug customer drop offs due to cut off creativity, bad reputation, very mainstreamed sites and so on)

    It's really hard to see that this is due to security issues though, leaving us at a state of no control.

    Anyways, what is frustrating is that every little, even as very very simple fix, will have to wait according to your development lists. And meantime, all we can do (without javascript) is to try hack around these things using CSS-hacks (but no logic at all). A cumbersome task taking hours instead of seconds with javascript. (Such CSS hacks will also be very deemed to break if you change any of the structures involved in the CSS rules, just like you say javascript would.)


    3. Again then; how and what is the requirements to become a Trusted Customizer, Baldy clearly said it's not based on financial relationships

    Regards// Edsh
  • McQMcQ Registered Users Posts: 165 Major grins
    edited August 7, 2013
    Still waiting for a reply to my post (#65).

    I think that deserves a response, since it is clearly something you guys didn't have your act together on.
    "Where have you gone, Joe DiMaggio, our nation turns its lonely eyes to you?"

    http://mcq.smugmug.com
  • WinkXR6TWinkXR6T Registered Users Posts: 61 Big grins
    edited August 7, 2013
    Geez! I'm glad I read this thread or I never would've known my contact form was no longer functioning. It will be 18 hours before I get a chance to come up with an alternative. Which, by the way I have no clue on?

    I've always used a Wufoo form, so what are the other options that will work with the new Smugmug? I unveiled after I got everything working, so I can't go back and wait for this to be fixed.

    I really like the new Smugmug. However, I'm disappointed with how this issue has been handled. Hopefully lessons have been learnt and this type of thing won't happen again

    Keep up the good work :)
  • paulbrockpaulbrock Registered Users Posts: 515 Major grins
    edited August 7, 2013
    Current alternatives:

    - use default Smugmug contact form. Pro - dead easy to add, integrates well with site. Con - not customisable.
    - use Wufoo contact form in separate window e.g. http://paulbrockphotography.wufoo.com/forms/z7x4a3/ Pro - keeps power of Wufoo, easy to add. Con - looks amateur, doesn't integrate with site
    - use Wufoo contact form in another site mocked up to look like smugmug e.g. https://sites.google.com/site/pbpcontactform/ Pro - power of Wufoo, looks kinda integrated into site. Con - takes ages and fiddly, still not v professional
  • toddbuchanantoddbuchanan Registered Users Posts: 60 Big grins
    edited August 7, 2013
    So if smugmug wants examples of what we need to implement JavaScript, then here is mine...

    I am now admin on 8 sites (2 are my own and 6 are clients I convinced to sign up for Smugmug..and my client list is growing) and the primary thing I (they) need is being able to mirror their header and footer so it looks seamless to their site. I have no control over what my client's corporate web coders use, but 3 of the 6 have elements of JavaScript in their header or footer for menus or logins, so if I want to keep them happy, I need to have some sort of implementation that allows their header and footers.

    While I want to make my own site more sophisticated and maybe shift from WordPress to SM, it does make it harder for me to do that if iframes are not supported....

    So that is what I need JS for...keeping clients happy and me paying more money to SM so SM can make more money...I hope we can all live happily ever after, but for the moment I'm looking for that woman with the glass slipper and kinda panicked...Will my Prince Smugmug come to my rescue?
  • Cygnus StudiosCygnus Studios Registered Users Posts: 2,294 Major grins
    edited August 7, 2013
    mbonocore wrote: »
    We are working on getting you the tools you need.


    99% of the frustration (at least for me) is the continued surprises that seem to happen. It's seems that every single thing is a secret, and we are just let to "hope" that our websites will work from day to day.

    Relying on hope is an incredibly bad way to run a business.

    If something "needs" to be changed, that would be understandable if we found out from smugmug instead of our clients.

    Burying some explanation after the fact on a forum that 1/10th of your customers use isn't exactly the best customer service.

    I know that smugmug has the ability to send mass emails, I've gotten more than one in the last six years.
    Steve

    Website
  • VisfxguyVisfxguy Registered Users Posts: 11 Big grins
    edited August 7, 2013
    Guys, this is a disaster. That I have absolutely no control of the contact form -- my very first interaction with a potential client -- is unacceptable. That they think my first response to them is an insulting, simplistic "The Question" absolutely KILLS ME. I can't imagine who could have ever thought in a million years that was the best option to request information. This contact form is absolutely useless when it comes to capturing customer information necessary for my photography business. If we can't have this Wufoo option, then we need to have absolute control of our contact form options. Period.

    While this is not a deal breaker for me yet, this PRO won't be staying long if it isn't fixed immediately.
  • AbigayleRayPhotographyAbigayleRayPhotography Registered Users Posts: 20 Big grins
    edited August 7, 2013
    Visfxguy wrote: »
    Guys, this is a disaster.

    You've got that disaster part right! Although the newest problem doesn't really go with this thread, I'll make mention of it anyways (I started a new thread on it here: http://www.dgrin.com/showthread.php?p=1892008#post1892008)

    Your drop down menu's from your nav bars are not working now! I have tried on 4 browser's, 2 computers and my phone and none are working! Getting tired of my potential clients alerting me to things that aren't working on the site, and this is a major one this time! I have gone in and checked all settings and they are the same as they've been (pointing the menu tab to the correct page).
  • nikongirl74nikongirl74 Registered Users Posts: 46 Big grins
    edited August 7, 2013
    Default Contact form not working
    I was so tickled with my wafoo contact page and even more so with my google calendar page. I'm glad I read this or I would not have know that they had been disabled!!! I scrambled around and pointed my calendar menu tab to an html link to my google calendar (not good, had to open in a new tab for the client) and was going back to the default contact form but it won't work now. Help?
  • pipercreekphotographypipercreekphotography Registered Users Posts: 83 Big grins
    edited August 7, 2013
    I was so tickled with my wafoo contact page and even more so with my google calendar page. I'm glad I read this or I would not have know that they had been disabled!!! I scrambled around and pointed my calendar menu tab to an html link to my google calendar (not good, had to open in a new tab for the client) and was going back to the default contact form but it won't work now. Help?


    Valerie,

    How did you link your google calendar? I will have to do the same. :(
  • McQMcQ Registered Users Posts: 165 Major grins
    edited August 7, 2013
    Aaaaaaand...

    Still waiting for Baldy or Michael b. to answer this question...

    http://http://www.dgrin.com/showpost.php?p=1891083&postcount=65
    "Where have you gone, Joe DiMaggio, our nation turns its lonely eyes to you?"

    http://mcq.smugmug.com
  • Darter02Darter02 Registered Users Posts: 947 Major grins
    edited August 8, 2013
    Valerie,

    How did you link your google calendar? I will have to do the same. :(

    I think she simply open a new browser window to show her client a regular google calendar. I'm working on reformatting blogger to look like my new design in SM. My menu link will go to the post I originally used as the feed for the method this whole thread was originally about.
  • edshedsh Registered Users Posts: 27 Big grins
    edited August 8, 2013
    Mbonocore or Baldy,

    Please reply to my questions, http://www.dgrin.com/showpost.php?p=1891392&postcount=78

    Many thanks// Edsh
  • mbonocorembonocore Registered Users Posts: 2,299 Major grins
    edited August 12, 2013
Sign In or Register to comment.