- From: Eric Rescorla <ekr@rtfm.com>
- Date: Fri, 15 May 2020 06:11:10 -0700
- To: Michiel Leenaars <michiel.ml@nlnet.nl>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Friday, 15 May 2020 13:12:00 UTC
On Fri, May 15, 2020 at 1:17 AM Michiel Leenaars <michiel.ml@nlnet.nl> wrote: > > > Fulfillment (like edge computing) is a different role from delivery, as > the > content or service delived by the edge node (like the postal piece) would > just not exist. It is outsourcing core functionality. My reason to reply > to > the original thread was that the traditional CDN role can take place fully > without authentication (even by pushing it to another subdomain), I'm not going to get involved in a definitional argument here about what a CDN is, but in the Web security model, the role of hosting static assets generally cannot be done without authentication. The reason for this is that those assets impact the semantics of the web page into which they are loaded. Specifically: When JS modules are loaded into a page using a <script> tag they become part of the context of the page and have the same privileges as if they were loaded from the origin server. If these are not authenticated there are trivial attacks. There are other resource types that are more "static" from the Web's perspective (images for instance) but these also can be used for more subtle attacks. -Ekr
Received on Friday, 15 May 2020 13:12:00 UTC