Re: [somewhat OT] mod-jk + ssl: requests are not forward to tomcat correctly

[Wayne Li]

Thanks for all!

On Tue, Jul 12, 2016 at 7:17 AM, Rainer Jung 
wrote:

> Am 12.07.2016 um 12:06 schrieb André Warnier (tomcat):
>
>> On 12.07.2016 01:39, Wayne Li wrote:
>>
>>> Probably the quickest : download these files, install them on your

>>> server, and change the above links.
>>> Like : create a sub-directory "/js" of your webapp, and install them
>>> there.
>>> Then change the above links to : href="js/jquery.mobile-1.4.5.min.css"
>>>
>>> Yes. It works. Thanks.
>>>
>>> It is okay for now. but, if I do not want host these files, what should I
>>> do? Can you point a direction for me please?
>>>
>>>
>> I just wante to make some personal comments here, to what you write above
>> :
>>
>> You are saying that you do not really want to "host" those files on your
>> server, and that you (presumably) would like to continue to link to them
>> directly on the jquery host.
>> But I believe that there are a few considerations to take into account
>> here, on the practical, ethical, and security levels :
>>
>> Basically, if you do this, then it means that any browser, anywhere,
>> that is using your application, will now (try to) access and download
>> these files directly from the jquery server, instead of from your server.
>>
>> 1) ethical aspect :
>> Users of your application will now be using the resources and bandwidth
>> of a server that is not yours, and which is supported by someone else.
>> That someone else may not like this very much.
>> I had a (quick and not exhaustive) look at the jquery website, and I did
>> not find anything which explicitly discourages people from doing this.
>> And it may well be that they actually encourage people to do this (maybe
>> they are pleased to have a lot of traffic).
>>
>> But I believe that before doing something like this, you may want to at
>> least ask them if this is ok, or what they recommend. And in particular
>> in this case, since jquery is a non-profit, open-source resource for
>> which you do not pay in the first place.
>>
>> 2) practical aspect :
>> By doing this, your application becomes dependent on the fact that any
>> of your user's browsers would actually be able to access that external
>> server, which is not under your control. There could be some firewall
>> rule which prevents such an access (now, or at any time in the future).
>> That server could be down for maintenance; it could be re-organised, so
>> that the files are no longer at that specific URL location; the file
>> content could be changed, so that things do no longer work in exactly
>> the same way; etc..
>> As you have just found out, even some browser rules (which can change
>> over time) may prevent access to these files.
>> And I know of some websites which take active measures to prevent people
>> doing this (using their resources in such a way), for example by
>> checking the "Referer" of the access to their resources.
>>
>> Another practical aspect, is that if something does not work anymore in
>> one of your applications, your users will come to you for an
>> explanation; and it may be time-consuming, in a case like this, to find
>> out what exactly isn't working.
>>
>> 3) security aspect :
>> If anyone managed to replace the content of that file (again, this is
>> not under your control), they would be able to "inject" malicious
>> content into your application.
>> And to the world at large, this would at first look as if it was your
>> application which is the culprit.
>>
>> These are my personal opinions only.  But for the reasons above, I would
>> rather host myself the resources needed by my applications.
>>
>
> and
>
> 4) Privacy: the owner of the external server (here: jquery) is able to
> track who is visiting your site. Your visitors might not like this.
>
> Regards,
>
> Rainer
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: [somewhat OT] mod-jk + ssl: requests are not forward to tomcat correctly

[Rainer Jung]

Am 12.07.2016 um 12:06 schrieb André Warnier (tomcat):

On 12.07.2016 01:39, Wayne Li wrote:

Probably the quickest : download these files, install them on your

server, and change the above links.
Like : create a sub-directory "/js" of your webapp, and install them
there.
Then change the above links to : href="js/jquery.mobile-1.4.5.min.css"

Yes. It works. Thanks.

It is okay for now. but, if I do not want host these files, what should I
do? Can you point a direction for me please?



I just wante to make some personal comments here, to what you write above :

You are saying that you do not really want to "host" those files on your
server, and that you (presumably) would like to continue to link to them
directly on the jquery host.
But I believe that there are a few considerations to take into account
here, on the practical, ethical, and security levels :

Basically, if you do this, then it means that any browser, anywhere,
that is using your application, will now (try to) access and download
these files directly from the jquery server, instead of from your server.

1) ethical aspect :
Users of your application will now be using the resources and bandwidth
of a server that is not yours, and which is supported by someone else.
That someone else may not like this very much.
I had a (quick and not exhaustive) look at the jquery website, and I did
not find anything which explicitly discourages people from doing this.
And it may well be that they actually encourage people to do this (maybe
they are pleased to have a lot of traffic).

But I believe that before doing something like this, you may want to at
least ask them if this is ok, or what they recommend. And in particular
in this case, since jquery is a non-profit, open-source resource for
which you do not pay in the first place.

2) practical aspect :
By doing this, your application becomes dependent on the fact that any
of your user's browsers would actually be able to access that external
server, which is not under your control. There could be some firewall
rule which prevents such an access (now, or at any time in the future).
That server could be down for maintenance; it could be re-organised, so
that the files are no longer at that specific URL location; the file
content could be changed, so that things do no longer work in exactly
the same way; etc..
As you have just found out, even some browser rules (which can change
over time) may prevent access to these files.
And I know of some websites which take active measures to prevent people
doing this (using their resources in such a way), for example by
checking the "Referer" of the access to their resources.

Another practical aspect, is that if something does not work anymore in
one of your applications, your users will come to you for an
explanation; and it may be time-consuming, in a case like this, to find
out what exactly isn't working.

3) security aspect :
If anyone managed to replace the content of that file (again, this is
not under your control), they would be able to "inject" malicious
content into your application.
And to the world at large, this would at first look as if it was your
application which is the culprit.

These are my personal opinions only.  But for the reasons above, I would
rather host myself the resources needed by my applications.


and

4) Privacy: the owner of the external server (here: jquery) is able to 
track who is visiting your site. Your visitors might not like this.


Regards,

Rainer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [somewhat OT] mod-jk + ssl: requests are not forward to tomcat correctly

[tomcat]

On 12.07.2016 01:39, Wayne Li wrote:

Probably the quickest : download these files, install them on your

server, and change the above links.
Like : create a sub-directory "/js" of your webapp, and install them there.
Then change the above links to : href="js/jquery.mobile-1.4.5.min.css"

Yes. It works. Thanks.

It is okay for now. but, if I do not want host these files, what should I
do? Can you point a direction for me please?



I just wante to make some personal comments here, to what you write above :

You are saying that you do not really want to "host" those files on your server, and that 
you (presumably) would like to continue to link to them directly on the jquery host.
But I believe that there are a few considerations to take into account here, on the 
practical, ethical, and security levels :


Basically, if you do this, then it means that any browser, anywhere, that is using your 
application, will now (try to) access and download these files directly from the jquery 
server, instead of from your server.


1) ethical aspect :
Users of your application will now be using the resources and bandwidth of a server that 
is not yours, and which is supported by someone else. That someone else may not like this 
very much.
I had a (quick and not exhaustive) look at the jquery website, and I did not find anything 
which explicitly discourages people from doing this. And it may well be that they actually 
encourage people to do this (maybe they are pleased to have a lot of traffic).


But I believe that before doing something like this, you may want to at least ask them if 
this is ok, or what they recommend. And in particular in this case, since jquery is a 
non-profit, open-source resource for which you do not pay in the first place.


2) practical aspect :
By doing this, your application becomes dependent on the fact that any of your user's 
browsers would actually be able to access that external server, which is not under your 
control. There could be some firewall rule which prevents such an access (now, or at any 
time in the future).  That server could be down for maintenance; it could be re-organised, 
so that the files are no longer at that specific URL location; the file content could be 
changed, so that things do no longer work in exactly the same way; etc..
As you have just found out, even some browser rules (which can change over time) may 
prevent access to these files.
And I know of some websites which take active measures to prevent people doing this (using 
their resources in such a way), for example by checking the "Referer" of the access to 
their resources.


Another practical aspect, is that if something does not work anymore in one of your 
applications, your users will come to you for an explanation; and it may be 
time-consuming, in a case like this, to find out what exactly isn't working.


3) security aspect :
If anyone managed to replace the content of that file (again, this is not under your 
control), they would be able to "inject" malicious content into your application.
And to the world at large, this would at first look as if it was your application which is 
the culprit.


These are my personal opinions only.  But for the reasons above, I would rather host 
myself the resources needed by my applications.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org