Want to run a gateway for loading web apps? Make sure it provides origin isolation.
lidel opened this issue ยท 12 comments
We've made the Origin check more prominent in #148:
- If you don't know why Origin isolation matters, a good primer is at https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
- If you care about security of websites loaded via your gateway, consider converting it to subdomain gateway (see config docs and recipes for go-ipfs). Gateways without origin isolation are now marked with
โ ๏ธ sign, indicating they are not safe for use cases that require origin isolation.- FYSA we will disable local storage, cookies and some Web APIs on the path gateway in the near future (ipfs/in-web-browsers#157), effectively forcing use of subdomain gateways in situations where a dapp or website requires credentials, local storage persistence and/or access to web APIs.
- This is a heads-up to migrate before this becomes a problem for your use case.
Pinging folks who added a gateway to the list in the past, for additional visibility:
@ntninja @go69 @HamedSepehr @aphelionz @joshfraser @obo20 @arhuman @Kcchouette @albertorositani @Jorropo @fooock @cwchristerw @jonaharagon @swedneck @herronjo @meehow @sixcorners @cofeein @SaltyLeo @didnt1able @SIUU @k1ic @weaming @ahmaks @lizelive @FireMasterK @carsenk @plibither8 @xmaysonnave @zikunfan @hybla0 @noormohammedb @CryptoZifter @Mas7erMind @ipfsgate @itargowoosung @gavfu @ivoputzer @Jeroen52
This is a PSA. If you have questions regarding subdomain gateway configuration:
- consult config docs and recipes for go-ipfs
- leverage community support by posting in https://discuss.ipfs.io/c/help/13
Hello, I don't own gateway, only contributing by adding some I find on the Internet
Thx for the ping, I'm in the process to enable it (I recently moved my dns to self hosted for simpler ACME challenges).
I want still to point out that there are legit and safe use case for non origin isolated gateways.
I get about 1 request per second. Most of them are from webtorrent webseeds, or other use cases where my gateway just serve files.
So the website is on an other isolated gateway and it embeds ressources from mine (hopefully using webtorrent or integrity atributes). (Origin isolated gateways could also do the same just fine)
Thanks @lidel
Anybody know a good domain registrar that will allow me to have a wildcard domain? I'll start the transfer process ASAP if somebody can recommend a good one.
@aphelionz every DNS registrar should support wildcard domain names, but if you are looking for a cheap one https://www.cloudflare.com/products/registrar/ usually has the lowest renewal rates.
@aphelionz every DNS registrar should support wildcard domain names, but if you are looking for a cheap one cloudflare.com/products/registrar usually has the lowest renewal rates.
At worst if it doesn't you can just setup your own BIND9 servers and just point the NS domains onto them.
I have hosted IPFS in specific subdomain before using Path Gateway. I'm not sure if I'm going to start using Subdomain gateway because previously it caused my servers to run out of memory.
Implemented Origin isolation for IPFS!
Use Cloudflare + Let's Encryption (acme.sh) + nginx.
@cwchristerw There should be no meaningful difference in memory use between path and subdomain gateways โ the cause of your issues is most likely elsewhere. if you want to find the cause, go-ipfs/docs/debug-guide.md will be useful, then fill issue against https://github.com/ipfs/go-ipfs
@lidel Yeah it was typo ๐ I was meant to say that currently my gateway is offline because IPFS used too much memory ๐
I think we could link to this from the README and then close. open to PR for that from anyone. (or I will get to it)
iirc I kept it open only as a PSA, we can just close this:
- the gateway checker shows prominent warning already
- docs explain Origin isolation importance: https://docs.ipfs.io/how-to/address-ipfs-on-web/#path-gateway
- specs exist: https://github.com/ipfs/specs/blob/main/http-gateways/SUBDOMAIN_GATEWAY.md