[Mathmesh] Using UDF for CDN content
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 11 November 2019 17:11 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: mathmesh@ietfa.amsl.com
Delivered-To: mathmesh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBC24120A44 for <mathmesh@ietfa.amsl.com>; Mon, 11 Nov 2019 09:11:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Avbu2hEOHLQ7 for <mathmesh@ietfa.amsl.com>; Mon, 11 Nov 2019 09:11:11 -0800 (PST)
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2686B120A3D for <mathmesh@ietf.org>; Mon, 11 Nov 2019 09:11:11 -0800 (PST)
Received: by mail-oi1-f173.google.com with SMTP id 14so6133269oir.12 for <mathmesh@ietf.org>; Mon, 11 Nov 2019 09:11:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Wqvt6NqFVYFFiuqIKErhifM0Vzx3kp/xHYsIrf0I0vE=; b=q+p6eIjJkB1UN9pHEtF70zzq4NSDHR0aZh5bAIa29QLzkuRGbAthD50txMMOXjYHrR gQWUrxiFDtpETzFP/MX2T9AgRuH0bNakLeWEO/mlR3fJA/r8czW+aOdHB4iGBCzLb7tE MqJ7t4yK+dR+Qc0DICadmoLBKSu+Kr01adtZ9AfYuievnX22nct+su3rFNWNZScgWlaO finYAkmco5LG12XEf5QAv/WjMa+n2yI5iYoeBbtMpXZZnRTVE2VnTHaivmRYPMdWKz/g +BqJ1D55IEe8b7ohnC1XTF9w45Qmwrq5Xba4LIGkiOnCD97olrFCE87k/1nfDAWXCint dEQg==
X-Gm-Message-State: APjAAAWrrv4zpuQWFeWqFq0qQSoUrsvkEVa4TGZpF2NtjnXylcLl39a2 54T+ZcBHLxIOTHvOgrXhOz9mD62Y9q03leGrEOfiNPul
X-Google-Smtp-Source: APXvYqwxRkwTPSsa2uc1xgVzBGxrp6PBm1j9kRHiLIiaTHLGlG1BZ4hZ4yE7KkW+LofINRysLUE0OEEz2eTnnj5X/nY=
X-Received: by 2002:aca:5058:: with SMTP id e85mr51750oib.100.1573492269951; Mon, 11 Nov 2019 09:11:09 -0800 (PST)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 11 Nov 2019 12:11:00 -0500
Message-ID: <CAMm+LwgYiZGFePej6kncJidnKMbPA+4gHtym=MGEKjJrR2wWsw@mail.gmail.com>
To: mathmesh@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ceaff205971537be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mathmesh/vNkQBUdDd7yG1CPa97MYEBeC9u8>
Subject: [Mathmesh] Using UDF for CDN content
X-BeenThere: mathmesh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <mathmesh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mathmesh/>
List-Post: <mailto:mathmesh@ietf.org>
List-Help: <mailto:mathmesh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:mathmesh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 17:11:15 -0000
I am just updating the Web site and upgrading to Bootstrap 4. In the process, I came across this: <!-- Latest compiled and minified CSS --> <link rel="stylesheet" href=" https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"> Of course downloading bootstrap from a CDN makes every bit of sense and even better to not have to download it more than once. But lets just step back and think about what this line of code does. In effect, bootstrapcdn.com has just become a root of trust for my Web pages. I have handed a vast degree of trust over to a site that I have no direct connection to. All I did (or would have done if I wasn't a security nut) was to cut and paste the code from a Web page giving me instructions. Replacing the variable uri with a hardened one is much better: <link rel="stylesheet" href="udf: maxcdn.bootstrapcdn.com/MB5S-R4AJ-3FBT-7NHO-T26Z-2E6Y-WFH4"> Of course we might well require some sort of transition strategy but it seems we now EOL Web browsers after 8 years (IE 9 is no longer supported by BS 4). Content digest of the content provides a link to a fixed static version of a resource which is exactly what I think is needed here. I do NOT want anyone making supposed 'bug fixes' to content I am linking to without testing them on my end. If a link to dynamic content was required, the way to effect it would be to provide the content digest of the signature key.
- [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker
- Re: [Mathmesh] Using UDF for CDN content Michael Richardson
- Re: [Mathmesh] Using UDF for CDN content Salz, Rich
- Re: [Mathmesh] Using UDF for CDN content Carsten Bormann
- Re: [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker
- Re: [Mathmesh] Using UDF for CDN content Michael Richardson
- Re: [Mathmesh] Using UDF for CDN content Phillip Hallam-Baker