On 22/08/2013 09:34, Paul Wise wrote:
> implementation) I have always thought it was a bad idea, especially
> at minimum is an information leakage. With JS or CSS it might lead to
> security issues in the web apps on the same domain. Instead, the
> scripts used for setting up vhosts should reference the needed
> CSS/JS/etc dependencies using the web server or framework
> configuration. In addition, you can never know which URLs a specific
> web app, vhost or instance of a web app will use at runtime, so
> /_assets or /_sysassets is a recipe for annoying our users (social
> contract says no).
agreed - i don't understand what's the use of sharing all those assets
over http. Besides, it's not that hard to setup a webserver to do just
that and it's up to the user to decide this.
The discussion should be about what are the standard FHS paths to those
files, and if that's not already the case, try to define those paths.
Having standard paths will give us portable httpd configurations.
Another matter is about what are the paths to the other versions of the
have woff, eot, ttf, svg.
> I also think web fonts (and other recent browser attack-surface bloat)
> are an insane idea for security. They also lead to sites doing stupid
> things like putting icons into the PUA of web fonts. They are yet
> another reason why I'm wishing I could leave the web.
PS: oh come on please don't rant