Time to bring this one up again: When is CW going to introduce change management and involve their customers? Pro-active communication ?
Last weekend a new ‘security feature’ on the application level was ‘introduced’ called ‘Direct PHP File Access’. No email communication about it. Not even a Top-Right-Corner present announcing it. No, just throw it in production and to make sure it really breaks a lot (especially ajax calls) turn the setting by default on disabled.
I understand it could be a good filter but:
a) design it with options that would be useful. E.g. same origin site calls are a configurable exception. People that write ajax calls know how to make them not directly accessible.
b) do not change a setting by default as the first deployment. Introduce the feature with the setting that provides the same practical effect. Then communicate. Then change the default.
c) Start using email communications to your technical contacts. Every other provider out there does this …
This feature was introduced on or right after the 18th … and ZERO comms about it. I guess nobody uses PHP …