-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
consider blocking non-IPFS subresources on IPFS pages #20522
Comments
CCing @stephendonner 👍 |
cc @lidel and @spylogsster |
I think this is due to a misunderstanding of:
What we meant by this is that an HTTP(S) page is not allowed to load IPFS resources, not to prevent an IPFS page from loading HTTP(S) resources. Are there any security/privacy risks associated with the other way around? |
Ah, I see. Thank you for the clarification @diracdeltas.
Yes, absolutely. The principle value proposition of IPFS is that content is immutable and permanent. When sub-resources are loaded over http(s), both of these properties cease to hold. In particular, this behavior is non-obvious to the user unless they manually verify that the page has no http(s) dependencies. What use is an "immutable" IPFS html file if all of its style/script/image dependencies are accessed over http(s) and mutable by whoever controls the http(s) host?? I can understand if the default behavior still allows http(s), but I think Brave should at least include an opt-in configuration option for blocking non-IPFS sub-resources. |
Two interlinked topics here (or four, if we look at
👍 I think it is sensible for Brave to "detect use of HTTP on ❓ But we need to be mindful about the default behavior and its impact on existing websites. Areas of concern:
|
Description
Sites loaded with
ipfs://
andipns://
DO load HTTP sub resources even when "Shields UP for this site". As is indicated in the documentation, my expectation as a user is that only IPFS resources are resolved when viewing a page hosted on IPFS. Either the implementation doesn't properly match the spec or the spec is misleading (or I'm otherwise confused).Steps to Reproduce
Local Node
resolution method.Some examples sites:
Actual result:
The browser loads HTTP(S) resources without blocking them.
Expected result:
No HTTP(S) sub resources should be resolved when accessing an IPFS/IPNS site.
Reproduces how often:
100%.
Brave version (brave://version info)
Miscellaneous Information:
Related:
The text was updated successfully, but these errors were encountered: