As I was preparing for my presentation today, I was playing a bit with the new scriptProtect feature of ColdFusion MX7. I turned the option on, performed a test, and was puzzled when scriptProtect didn't actually do anything. Thinking that maybe my Application.cfc was cached, I restarted ColdFusion, but nothing changed.
I checked the docs (always a good idea) and realized I had made a very simple mistake. ScriptProtect expects three possible values. Either "all", "none", or a list of ColdFusion scopes to protect. I had done this:
To me, this just seemed like the natural way to turn on script protection. However, not only did it not work, it never threw an error either. To me, this is a bit dangerous. I had expected my site to be protected, but it wasn't since I had supplied the wrong value. I would normally expect ColdFusion to throw an error, especially with something security related like this. Watch out for it folks!