Workaround for CFIDE Not Web Accessible for AJAX and Flash Built-Ins

Question

Several pieces of ColdFusion functionality - media player and multi file uploader - are predicated on JavaScript libraries being available at /CFIDE/scripts, even if the scriptsrc is configured in Application.cfc. See the bug here for a point of reference: http://www.elliottsprehn.com/cfbugs/bugs/83328

Unfortunately exposing the CFIDE directory as-is from a ColdFusion installation is a security risk. So I'm trying to decide the right path forward to enable my application's use of this functionality whilst not exposing this hole. The wrinkle is that I am shipping a product so I am trying to imagine a solution that I can either automate with an installer or document easily enough that a system administrator should have no trouble setting up.

These are the options I've come up with:

1. Document to, or have the installer, create an empty directory and virtually map it as /CFIDE. Copy the contents of the scripts folder from the ColdFusion installation beneath it.
2. Distribute just the files I need modified and ensure the referenced .swfs are in the whatever location it's changed to (paths are relative to CFIDE/scripts):
   1. /ajax/package/cffileupload_swf.js
   2. /ajax/package/cfmediaplayer.js

Which option seems better? Or do you have a better idea?

Answer 1

You could simply map the full scripts folder. Rather than map /CFIDE, map /CFIDE/scripts. This would expose the scripts folder, but /CFIDE wouldn't exist at all.

Another similar option is to copy the scripts folder to somewhere "common" and again create a /CFIDE/scripts mapping to this folder.

Both of these solutions are virtually identical, but the second is probably better for the truly paranoid.