Re: [Mathmesh] Using UDF for CDN content
Carsten Bormann <cabo@tzi.org> Tue, 12 November 2019 15:31 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A7412006E for <mathmesh@ietfa.amsl.com>; Tue, 12 Nov 2019 07:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5sxK_3mmkfz for <mathmesh@ietfa.amsl.com>; Tue, 12 Nov 2019 07:31:05 -0800 (PST)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26DB912000F for <mathmesh@ietf.org>; Tue, 12 Nov 2019 07:31:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost2.informatik.uni-bremen.de [IPv6:2001:638:708:30c8:406a:91ff:fe74:f2b7]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id xACFUuvm004334; Tue, 12 Nov 2019 16:31:01 +0100 (CET)
Received: from [100.76.24.183] (ip-109-41-67-71.web.vodafone.de [109.41.67.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 47CBXb5yyLz1BhL; Tue, 12 Nov 2019 16:30:55 +0100 (CET)
Content-Type: multipart/alternative; boundary="Apple-Mail-FB269721-F000-4606-9385-62B45AC10A22"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <2301212a-ebea-7c8d-f52a-83e2988df71e@sandelman.ca>
Date: Tue, 12 Nov 2019 16:30:53 +0100
Cc: mathmesh@ietf.org
Message-Id: <A545E94E-E05C-4DC2-8EEB-2682C8EA8936@tzi.org>
References: <2301212a-ebea-7c8d-f52a-83e2988df71e@sandelman.ca>
To: Michael Richardson <mcr@sandelman.ca>
X-Mailer: iPhone Mail (17B102)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/bIyJ-Hi69g6OBMDBgOucVLj4QIo>
Subject: Re: [Mathmesh] Using UDF for CDN content
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 15:31:07 -0000
RFC 6920 Sent from mobile, sorry for terse > On 12. Nov 2019, at 08:44, Michael Richardson <mcr@sandelman.ca> wrote: > > > >> On 2019-11-12 1:11 a.m., Phillip Hallam-Baker wrote: >> I am just updating the Web site and upgrading to Bootstrap 4. In the >> process, I came across this: >> >> <!-- Latest compiled and minified CSS --> >> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"> >> Of course downloading bootstrap from a CDN makes every bit of sense >> and even better to not have to download it more than once. But lets >> just step back and think about what this line of code does. >> >> In effect, bootstrapcdn.com <http://bootstrapcdn.com> has just become >> a root of trust for my Web pages. I have handed a vast degree of trust >> over to a site that I have no direct connection to. All I did (or >> would have done if I wasn't a security nut) was to cut and paste the >> code from a Web page giving me instructions. > > You are completely correct in your assessment. You could download the > code and put it on your web site, which would improve your threat > surface, but if you did that you would be defeating a great deal of > caching done by browsers of this kind of content. You might also miss > out on updates, although if you are linking to a version-numbered > content, then you are not getting any update advantage. > I seem to remember linking to major-version only when pulling in jQuery. > >> Replacing the variable uri with a hardened one is much better: >> >> <link rel="stylesheet" href="udf:maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4 >> <http://maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4>"> >> >> Of course we might well require some sort of transition strategy but >> it seems we now EOL Web browsers after 8 years (IE 9 is no longer >> supported by BS 4). > > Could we rely on some other (more primitive) bit of javascript to go > through and replace this with the correct one? That probably means > using something other than href="" > >> Content digest of the content provides a link to a fixed static >> version of a resource which is exactly what I think is needed here. I >> do NOT want anyone making supposed 'bug fixes' to content I am linking >> to without testing them on my end. >> >> If a link to dynamic content was required, the way to effect it would >> be to provide the content digest of the signature key. > > I would like to further remove the hostname from that and just give a hint. > Any content with that hash would satisfy the requirement. > > -- > Mathmesh mailing list > Mathmesh@ietf.org > https://www.ietf.org/mailman/listinfo/mathmesh
- [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker
- Re: [Mathmesh] Using UDF for CDN content Michael Richardson
- Re: [Mathmesh] Using UDF for CDN content Salz, Rich
- Re: [Mathmesh] Using UDF for CDN content Carsten Bormann
- Re: [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker
- Re: [Mathmesh] Using UDF for CDN content Michael Richardson
- Re: [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker