Comments (4)
Hi, thanks for sharing your thoughts!
While I like the idea, it does not appear to be possible to maintain self-updating whitelists. RequestPolicy does allow users to import domains from a file, but this does not allow for pushing updates to clients. It's also not possible to remove old (obsolete) whitelist entries once imported.
This might help users with strict policies with the initial set-up:
[origins]
[destinations]
ajax.googleapis.com
ajax.aspnetcdn.com
ajax.microsoft.com
cdnjs.cloudflare.com
code.jquery.com
cdn.jsdelivr.net
yandex.st
libs.baidu.com
lib.sinaapp.com
upcdn.b0.upaiyun.com
[origins-to-destinations]
Am I missing something with regards to maintenance?
from decentraleyes.
Respectfully, the proposed RP whitelist seems like an insecure (too trusting) approach.
I realize that might be the only approach available though, because can't guarantee which request observer will get first dibs.
When DE's "retrieve and cache missing" option is enabled, I would hope DE would raise an infobar announcing "page is requesting a not-yet-cached item from a recognized CDN. Allow/Deny". Upon 'Allow' buttonclick, DE would retrieve and permacache the item then trigger a page reload. It's reasonable to expect this will be a seldom-occurring interruption.
http://www.jsdelivr.com/about
For this CDN in particular, I'm hesitant to carte blanche "allow any missing".
http://blog.jsdelivr.com/
"A big focus was made on our combination feature. You can now visually create your combined URLs using the "Collection" functionality"
http://www.jsdelivr.com/free-open-source-cdn/javascript-cdn
"There are no popularity restrictions and all kinds of files are allowed, including JavaScript libraries, jQuery plugins, CSS frameworks, fonts and more."
Ultimately, after extended surfing, the local DE permacache could accumulate the entirety of
https://github.com/jsdelivr/jsdelivr/tree/master/files
https://github.com/jsdelivr/jsdelivr/archive/master.zip
1.6Gb zipfile
extracted contents: 123,500+ files, 5.0Gb files on disk
ouch
(and, does the jsdeliver "combinations, collections" feature introduce further permutations?)
from decentraleyes.
@stewie Thanks for weighing in.
Respectfully, the proposed RP whitelist seems like an insecure (too trusting) approach.
Note that you can block requests for any missing resources from preferences, and then whitelist any domains of websites that break without the expected libraries. So, adding the CDN domains to your RequestPolicy whitelist does not necessarily mean allowing all requests for missing resources.
from decentraleyes.
Closing this issue for now (since there now is a static RequestPolicy whitelist). I will be sure to re-open this issue if anyone has a strategy for continued maintenance.
from decentraleyes.
Related Issues (20)
- Do strict blocking rules break the extension? HOT 5
- Decentraleyes breaks inSCREEN content HOT 3
- Chrome prevents local redirections HOT 3
- Decentraleyes breaks Nextcloud Security Scan HOT 1
- support wordpress specific jquery HOT 5
- Decentraleyes breaks Mes Lieux Paris HOT 2
- Breaks the Gazeta do Povo website HOT 1
- There are various resource hints and directives HOT 4
- Does decentraleyes inject offline cdns when they are blocked by Noscript and PrivacyBadger? HOT 2
- Decentraleyes beaks the FreeBusy website HOT 6
- Error on Chrome HOT 4
- Decentraleyes breaks the Transcend website HOT 2
- Decentraleyes breaks ManualsLib HOT 1
- XHR requests fail due to missing headers HOT 1
- Question: Is any substitute for Safari ?
- Decentraleyes beaks a Path of Exile fansite HOT 2
- Add rules for Chinese mirrors to the FAQ HOT 4
- Update HTTPS Everywhere configuration guide HOT 3
- about:config "show release notes" = false setting is ignored HOT 1
- Missing CDNs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from decentraleyes.