Blog

Notes 8.5.2 allows users to installs widgets from .zip files #ibmexperience




This is a definite no-no as talked about in the Consultant In Your Pocket webcast on Deploying Widgets and Plug-ins to Notes and Sametime.  You can watch the full replay of the webcast here.

Notes and Domino 8.5.2 enables users to install a widget that is supplied to them as a .zip file.
Users can either drag and drop the .zip file into their My Widgets sidebar panel or use the Import menu option from the My Widgets sidebar panel.

This in itself should scare any Domino administrator that is worried about security and controlling deployment.  The ability for a user to drag and drap a zip file into their Notes client, that updates from remote locations is of immediate concern. You can control this ability via policy, but many overlook this ability.
This option is available for all supported widget types and enables the user to install a widget while working online or offline.

To make provisioning widgets self-contained in the .zip file, the updateSite URL in the widget definition must be set to jar:${zip.root}!/ and the updateSite itself must also reside in the .zip file.

I would suggest watching the webcast to understand the risks and measures to protect yourself and your users from this new abiity in Notes 8.5.2 to allow users to install widgets from .zip files.