IETF Logo Mail Archive

Re: [Mathmesh] Using UDF for CDN content

Carsten Bormann <cabo@tzi.org> Tue, 12 November 2019 15:31 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A7412006E for <mathmesh@ietfa.amsl.com>; Tue, 12 Nov 2019 07:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5sxK_3mmkfz for <mathmesh@ietfa.amsl.com>; Tue, 12 Nov 2019 07:31:05 -0800 (PST)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26DB912000F for <mathmesh@ietf.org>; Tue, 12 Nov 2019 07:31:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost2.informatik.uni-bremen.de [IPv6:2001:638:708:30c8:406a:91ff:fe74:f2b7]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id xACFUuvm004334; Tue, 12 Nov 2019 16:31:01 +0100 (CET)
Received: from [100.76.24.183] (ip-109-41-67-71.web.vodafone.de [109.41.67.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 47CBXb5yyLz1BhL; Tue, 12 Nov 2019 16:30:55 +0100 (CET)
Content-Type: multipart/alternative; boundary="Apple-Mail-FB269721-F000-4606-9385-62B45AC10A22"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <2301212a-ebea-7c8d-f52a-83e2988df71e@sandelman.ca>
Date: Tue, 12 Nov 2019 16:30:53 +0100
Cc: mathmesh@ietf.org
Message-Id: <A545E94E-E05C-4DC2-8EEB-2682C8EA8936@tzi.org>
References: <2301212a-ebea-7c8d-f52a-83e2988df71e@sandelman.ca>
To: Michael Richardson <mcr@sandelman.ca>
X-Mailer: iPhone Mail (17B102)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/bIyJ-Hi69g6OBMDBgOucVLj4QIo>
Subject: Re: [Mathmesh] Using UDF for CDN content
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 15:31:07 -0000

RFC 6920

Sent from mobile, sorry for terse

> On 12. Nov 2019, at 08:44, Michael Richardson <mcr@sandelman.ca> wrote:
> 
> 
> 
>> On 2019-11-12 1:11 a.m., Phillip Hallam-Baker wrote:
>> I am just updating the Web site and upgrading to Bootstrap 4. In the
>> process, I came across this:
>> 
>> <!-- Latest compiled and minified CSS -->
>> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">  
>> Of course downloading bootstrap from a CDN makes every bit of sense
>> and even better to not have to download it more than once. But lets
>> just step back and think about what this line of code does.
>> 
>> In effect, bootstrapcdn.com <http://bootstrapcdn.com> has just become
>> a root of trust for my Web pages. I have handed a vast degree of trust
>> over to a site that I have no direct connection to. All I did (or
>> would have done if I wasn't a security nut) was to cut and paste the
>> code from a Web page giving me instructions.
> 
> You are completely correct in your assessment.  You could download the
> code and put it on your web site, which would improve your threat
> surface, but if you did that you would be defeating a great deal of
> caching done by browsers of this kind of content.  You might also miss
> out on updates, although if you are linking to a version-numbered
> content, then you are not getting any update advantage.
> I seem to remember linking to major-version only when pulling in jQuery.
> 
>> Replacing the variable uri with a hardened one is much better:
>> 
>> <link rel="stylesheet" href="udf:maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4
>> <http://maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4>">  
>> 
>> Of course we might well require some sort of transition strategy but
>> it seems we now EOL Web browsers after 8 years (IE 9 is no longer
>> supported by BS 4).
> 
> Could we rely on some other (more primitive) bit of javascript to go
> through and replace this with the correct one?  That probably means
> using something other than href=""
> 
>> Content digest of the content provides a link to a fixed static
>> version of a resource which is exactly what I think is needed here. I
>> do NOT want anyone making supposed 'bug fixes' to content I am linking
>> to without testing them on my end.
>> 
>> If a link to dynamic content was required, the way to effect it would
>> be to provide the content digest of the signature key.
> 
> I would like to further remove the hostname from that and just give a hint.
> Any content with that hash would satisfy the requirement.
> 
> -- 
> Mathmesh mailing list
> Mathmesh@ietf.org
> https://www.ietf.org/mailman/listinfo/mathmesh

v2.23.0 | Report a Bug | By Email