Re: [Mathmesh] Using UDF for CDN content
Michael Richardson <mcr@sandelman.ca> Tue, 12 November 2019 07:27 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57D15120168 for <mathmesh@ietfa.amsl.com>; Mon, 11 Nov 2019 23:27:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFwAmzlnwF8Q for <mathmesh@ietfa.amsl.com>; Mon, 11 Nov 2019 23:27:47 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 903311200A4 for <mathmesh@ietf.org>; Mon, 11 Nov 2019 23:27:47 -0800 (PST)
Received: from [192.168.44.20] (unknown [209.52.88.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by tuna.sandelman.ca (Postfix) with ESMTPSA id 76D8D3818F for <mathmesh@ietf.org>; Tue, 12 Nov 2019 02:24:16 -0500 (EST)
To: mathmesh@ietf.org
References: <CAMm+LwgYiZGFePej6kncJidnKMbPA+4gHtym=MGEKjJrR2wWsw@mail.gmail.com>
From: Michael Richardson <mcr@sandelman.ca>
Openpgp: preference=signencrypt
Autocrypt: addr=mcr@sandelman.ca; keydata= mQGNBF3EaO8BDADNdcAioLgGWFMLcmR6SuX1ioVH0v1fcprk0Wl1Qc7LCdwqj+QSdv84oNe1 h6lTf+CsmzO+TZtL+2iUzR3WHyXViEJcSHldx2YIfgxGZkzqgqozDj2IoHCU6ezhQz2TwJO7 l6H7fIPBbemIu8qVezwP1azLVq3D+cXZkkOvsFhTiw1bF/WF8lIIAYEbQ4YyYyjk5DS30x59 kxFNSv6om8rqSAKs2epneEWpzybB0J82dBnB4VDDsMmTJWPkszvQoCjCbrvgDAuoRtL5su2V IQWw61O6N5p1mwJ7VQoPDWYyeFH4NrVlL71FwRLueVPle76Oi3ybE2IMUvHZ/e42jVBizlQj 1N/2x7mGk35Zrvz0WHjZLcFJYJkDOnLsMU1smhdRtxNfYf576DTlzQKVcLmNCfOKAWnz4DdQ gRI4pNs24NoxLXl5v5mhDHRX5Me+CuckkFNGSlCXZ5kMXzPPFAV6CwMlm65P1tVJq9td8Uh0 5I5okPcENk5iY+FniqMXamsAEQEAAbQlTWljaGFlbCBSaWNoYXJkc29uIDxtY3JAc2FuZGVs bWFuLmNhPokB1AQTAQgAPhYhBKMP9ag1YAG1i9s8WHACrsLM2IBDBQJdxGjwAhsDBQkB4TOA BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHACrsLM2IBDeJ4MAMvUmQjFqXgsg4KhIWQb QBcgNPxrtp9jW/i2m//0zVA2iGxbeTOZD6cmcNDRj153TbSGTEH03oJIeYbdwlOCe5blA6h4 FTEBwt/qX+mjRYKXuA3uvFdEJQJPFcaWFF68rgQMxgLPPUAnTYQ00SqaBEg+Vh4gSh8yOHuU 8VTgenm4JpBdJQx7/7syvIaQilhN2fF25CcA7hArmebkaG691x+cFD60s8ITI9PSf82SVUnp mspJTGptxFxH/GM/kW40iB4tUjZrUSQfTfWIXA/5j005XbVbo1DIYirWWNK0WPVsh51ullzt u37BDVj/SmgbGhvTUXwsBi4b+T2cJHLt+8QT/KM8OA+UA8AlkNPleKtOzxsg5z22m0fzollE Zcw9VIojPKIhTUYU79InmibEUoGfb05MFJM9aXX5BMoJNpKcB92PKI/gMsrxMwH1exs0cY/E K/xYdpFo3rTPw5KSsDkr7ZbqGPgz+QP2H+TLwgLKMFTBlVKpj+oqBnqeEVVrC7kBjQRdxGjv AQwA0T5oxtsQkr3I3FxBi5TkNSh0HZ7ND5xJJkyM6wLAsljLk5KhdcxjTlo6htNjRUuUy1Ld 0bARmezZf5GqKRh6fR7WX9EdYjGm0RbcK3tQ3L61h4p3EOplKgMSoGpGamLSDzRs3SAJu4GF iHfzQ20R0PxBN/CbzWh6ROPcxQ8wwt8G4ZOwU4zXfSmZqZwNp/6xosLCl3TKvFWX6421Vb/L WAOOAz/xSyS0GCUs/grBUfzu95+TTskRk7kkeYSQ//1Oq9srPlIU9lx3Y4jDgPkXIwd9eXOq e7/5y4bQkILGGMIux878DhAED865hPMBuHlkDNzIuo6HhjRkShLBM16yQhK+NJ0WI77+m1FD 7r5QL6iU57zI/B5U03JKZhW0Pm3Bm+RWZPWGVawkPUnvxoMFbw+x1+MnKZgXwRmRmbFsCHhD VmrDKLWXRm9QvTB+k0ZnTdme9ZwSNCn0CXME2rNtOR39Yh6dsWH2nMPvg/G5iUmZyO9Oa01W xhWcXnKA+v+VABEBAAGJAbwEGAEIACYWIQSjD/WoNWABtYvbPFhwAq7CzNiAQwUCXcRo7wIb DAUJAeEzgAAKCRBwAq7CzNiAQwaOC/4olaVHP/npCn2CrtAOstbyytePFmS9NAwdT8A6mA4s +WshPo1DhKEnKnYzW/S0jLf0iqlzT8LUqu2G8f6elGzghRR8WJVn0zH7LVCKMWo/tHE2rWyi Q1zuX9o7ChTodQ8cXx0lM1xdY8v4Amc5fFxyyhJprKZAtiDJ897vv1jP09fWLEBhaDsHqLhg ckQpIoee0Id4FXGt7wxDsPwa64SUUCTYdt98EiLoUY6eAWQnyelgbFU+D/bxkeytmmvWOVr7 UXVMQlEKG7E31G1XQMk6sFATF1dwiH/laLQPLuMYr7owUC+ef/YAWSHMTYeIfwdt/Yd8ngJ8 SFA6Uc+Bjr0i1jdnxS5H3EF4V1FNY2rh4zNPVNj2UrZaShK/XH4hnTJUYL5fo2ygt2ZM98ot 8lIsHGAJQHDl2/EffLsAL85pXDPl8E+nvOUOE1kwmfOgv/oV8z0469qu/hNiEpGp8xKBqGEL NWHd8fH5S9JxVix9Ed34vi9Cyf24iLjiWZBemXw=
Message-ID: <2301212a-ebea-7c8d-f52a-83e2988df71e@sandelman.ca>
Date: Tue, 12 Nov 2019 15:21:36 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwgYiZGFePej6kncJidnKMbPA+4gHtym=MGEKjJrR2wWsw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="8TqOexf6aBn3qqSMhBLjordm8Ilkv88jm"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/6tH1KrbQMWxi3rJ8rTDf5tt5eXA>
Subject: Re: [Mathmesh] Using UDF for CDN content
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 07:27:50 -0000
On 2019-11-12 1:11 a.m., Phillip Hallam-Baker wrote: > I am just updating the Web site and upgrading to Bootstrap 4. In the > process, I came across this: > > <!-- Latest compiled and minified CSS --> > <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"> > Of course downloading bootstrap from a CDN makes every bit of sense > and even better to not have to download it more than once. But lets > just step back and think about what this line of code does. > > In effect, bootstrapcdn.com <http://bootstrapcdn.com> has just become > a root of trust for my Web pages. I have handed a vast degree of trust > over to a site that I have no direct connection to. All I did (or > would have done if I wasn't a security nut) was to cut and paste the > code from a Web page giving me instructions. You are completely correct in your assessment. You could download the code and put it on your web site, which would improve your threat surface, but if you did that you would be defeating a great deal of caching done by browsers of this kind of content. You might also miss out on updates, although if you are linking to a version-numbered content, then you are not getting any update advantage. I seem to remember linking to major-version only when pulling in jQuery. > Replacing the variable uri with a hardened one is much better: > > <link rel="stylesheet" href="udf:maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4 > <http://maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4>"> > > Of course we might well require some sort of transition strategy but > it seems we now EOL Web browsers after 8 years (IE 9 is no longer > supported by BS 4). Could we rely on some other (more primitive) bit of javascript to go through and replace this with the correct one? That probably means using something other than href="" > Content digest of the content provides a link to a fixed static > version of a resource which is exactly what I think is needed here. I > do NOT want anyone making supposed 'bug fixes' to content I am linking > to without testing them on my end. > > If a link to dynamic content was required, the way to effect it would > be to provide the content digest of the signature key. I would like to further remove the hostname from that and just give a hint. Any content with that hash would satisfy the requirement.
- [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker
- Re: [Mathmesh] Using UDF for CDN content Michael Richardson
- Re: [Mathmesh] Using UDF for CDN content Salz, Rich
- Re: [Mathmesh] Using UDF for CDN content Carsten Bormann
- Re: [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker
- Re: [Mathmesh] Using UDF for CDN content Michael Richardson
- Re: [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker