Re: [Pkg-fonts-devel] [Pkg-javascript-devel] Debian font URLs [was: Re: Debian javascript URLs]
On 22/08/2013 09:34, Paul Wise wrote:
> Whenever this idea has come up (including the current /javascript
> implementation) I have always thought it was a bad idea, especially
> for JavaScript. Exposing more than absolutely needed for each website
> at minimum is an information leakage. With JS or CSS it might lead to
> security issues in the web apps on the same domain. Instead, the
> scripts used for setting up vhosts should reference the needed
> CSS/JS/etc dependencies using the web server or framework
> configuration. In addition, you can never know which URLs a specific
> web app, vhost or instance of a web app will use at runtime, so
> unilaterally taking over a generic path like /javascript, /assets,
> /_assets or /_sysassets is a recipe for annoying our users (social
> contract says no).
agreed - i don't understand what's the use of sharing all those assets
over http. Besides, it's not that hard to setup a webserver to do just
that and it's up to the user to decide this.
The discussion should be about what are the standard FHS paths to those
files, and if that's not already the case, try to define those paths.
Having standard paths will give us portable httpd configurations.
Another matter is about what are the paths to the other versions of the
files : javascripts or stylesheets can have minified versions, fonts can
have woff, eot, ttf, svg.
Jérémy.
> I also think web fonts (and other recent browser attack-surface bloat)
> are an insane idea for security. They also lead to sites doing stupid
> things like putting icons into the PUA of web fonts. They are yet
> another reason why I'm wishing I could leave the web.
>
> </rant>
>
PS: oh come on please don't rant
Reply to: