Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
consider blocking non-IPFS subresources on IPFS pages
See original GitHub issueDescription
Sites loaded with ipfs:// and ipns:// DO load HTTP sub resources even when “Shields UP for this site”. As is indicated in the documentation, my expectation as a user is that only IPFS resources are resolved when viewing a page hosted on IPFS. Either the implementation doesn’t properly match the spec or the spec is misleading (or I’m otherwise confused).
Steps to Reproduce
- Load an IPFS html file with http(s) sub resources, using the
Local Noderesolution method. - Observe that the sub resources are loaded into the browser context.
- Verify that “Shields UP for this site”
Some examples sites:
- ipfs://bafybeif2nqot44skgrerafdu7dn27fcwlgc5udwaojajchg4lppj6dkv6u/
- ipfs://bafybeig4ahvgjr7oardin6vbfaqg5v33ibvm4hcbzzwftebnm75oezglgi/
Actual result:
The browser loads HTTP(S) resources without blocking them.
Expected result:
No HTTP(S) sub resources should be resolved when accessing an IPFS/IPNS site.
Reproduces how often:
100%.
Brave version (brave://version info)
Brave: 1.34.80 Chromium: 97.0.4692.71 (Official Build) (x86_64)
Revision: adefa7837d02a07a604c1e6eff0b3a09422ab88d-refs/branch-heads/4692@{#1247}
OS: macOS Version 12.1 (Build 21C52)
Miscellaneous Information:
Related:
- https://github.com/brave/brave-browser/issues/14147
- https://github.com/brave/brave-core/pull/8106
- https://brave.com/ipfs-support/#:~:text=Additionally%2C Brave only allows subresources to be loaded over IPFS when the main page is loaded from IPFS.
When loading sites over IPFS, Brave instead uses the CID as the origin boundary. Additionally, Brave only allows subresources to be loaded over IPFS when the main page is loaded from IPFS.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Ah, I see. Thank you for the clarification @diracdeltas.
Yes, absolutely. The principle value proposition of IPFS is that content is immutable and permanent. When sub-resources are loaded over http(s), both of these properties cease to hold. In particular, this behavior is non-obvious to the user unless they manually verify that the page has no http(s) dependencies.
What use is an “immutable” IPFS html file if all of its style/script/image dependencies are accessed over http(s) and mutable by whoever controls the http(s) host??
I can understand if the default behavior still allows http(s), but I think Brave should at least include an opt-in configuration option for blocking non-IPFS sub-resources.
Two interlinked topics here (or four, if we look at
ipfs://andipns://separately):ipfs://oripns://loading subresources over HTTP(S) (<script>,<style>,<img>,<video>,<iframe>etc)ipfs://oripns://executingfetch('https://..calls to talk to web2 service endpoints👍 I think it is sensible for Brave to “detect use of HTTP on
ipfs://andipns://origins” and show a warning about page using “mixed protocols” + Shields UP option to block them as opt-in.❓ But we need to be mindful about the default behavior and its impact on existing websites. Areas of concern:
ipfs://sounds sensible, it will force people to “do the right thing” and publish all necessary subresources on IPFS, but if we start blocking all “mutable” things here, should we also blockipns://?ipns://will break all DNSLink websites where third party JS is talking to some web2 style HTTP endpoint.