Leaving "Uncompressed Javascript" Unchecked has no effect
After the CoachZ Attack (that's what we're calling it now) in December, we announced that some features of the Members area download system (like the default capability of downloading with the Javascript minified), weren't working but would be fixed by the end of January.
Well, it's the end of April now, so I went ahead and finally fixed the minified Javascript feature. Note that while we discussed moving some functions like this to a third-party, due to cost, we opted not to do so, at least for this feature. Thankfully, we were able to figure out a way to re-implement it without using Tomcat or any kind of servlet that could accept a similar infection as before, even though it required us to use a wee bit more Java than before.
Instead, we use a temporary persistent JVM (via NailGun) that is created when the first Javascript file needs to be minified and destroyed when the last file is completed. This results in a Java server that is only available for just over 1 second, that can only communicate with the script that created it, and that can only use Java scripts that the calling script defined. This makes for a much more efficient and secure solution than Tomcat, and at 1.2 seconds is much faster than not using a persistent JVM (50.9 seconds).