F20 System Wide Change: Web Assets

T.C. Hollingsworth tchollingsworth at gmail.com
Sun Aug 4 01:24:54 UTC 2013 

On Tue, Jul 30, 2013 at 5:48 AM, Robert Marcano
<robert at marcanoonline.com> wrote:
> On 07/26/2013 12:30 PM, Nicolas Mailhot wrote:
>> Le Lun 22 juillet 2013 21:58, Robert Marcano a écrit :
>>
>>> The real problem with publishing things is that if I distribute binaries
>>> of many things I must follow the license, some say I need to distribute
>>> sources, some say that I need to distribute a copy of the license, etc.
>>> Making files downloadable by default adds to the distributor more work
>>> (legal) because they must comply with their licenses. So if I put an
>>> open service of an Apache licensed web application, I will start
>>> distributing fonts with other licenses without ever noticing, for
>>> example GPL+3 (nothing against any license, only examples of the things
>>> people should care when distributing free/open licensed code/assets)
>>
>>
>> Again, the fonts available in Fedora are carefully vetted and none of them
>> have redistribution restrictions (and even for those with GPLish licenses
>> a large part of the font community considers the font file is the font
>> source, so you can't redistribute one without the other)
>>
>> I understand your point but please take another example.
>>
>
> There isn't another example, with the exception of Javascript code that is
> planned to be made available too. I don't consider that the distribution
> must make the decision to make me a distributor of assets I am not using on
> one of the web applications I decided to publish on my webserver, those web
> applications must make available those assets and only those assets.

You make the decision by installing a js-foo package, just like you
make the decision to provide a web application by installing a package
for it.

Also, it's just a default.  Disabling it will be easy; just truncate
the relevant config file:
echo > /etc/httpd/conf.d/web-assets.conf

> To
> force me to blacklist is wrong. Javascript code is worse in this aspect
> because it can be used as an attack vector, finding vulnerabilities that
> allow someone to inject Javascript code from the same server

There is nothing like CORS protections for <script> tags. (In fact,
they are commonly used to evade them, i.e. JSONP.)  If an attacker can
force your application to load code from your server they can just as
easily pull it from a public CDN or a server under their control.
Even disabling all external script loading wouldn't help you, since
they could just use eval().

-T.C.

More information about the devel mailing list