[Pkg-fonts-devel] Debian font URLs [was: Re: Debian javascript URLs]

Paul Wise pabs at debian.org
Thu Aug 22 07:34:38 UTC 2013

Whenever this idea has come up (including the current /javascript
implementation) I have always thought it was a bad idea, especially
for JavaScript. Exposing more than absolutely needed for each website
at minimum is an information leakage. With JS or CSS it might lead to
security issues in the web apps on the same domain. Instead, the
scripts used for setting up vhosts should reference the needed
CSS/JS/etc dependencies using the web server or framework
configuration. In addition, you can never know which URLs a specific
web app, vhost or instance of a web app will use at runtime, so
unilaterally taking over a generic path like /javascript, /assets,
/_assets or /_sysassets is a recipe for annoying our users (social
contract says no).

I also think web fonts (and other recent browser attack-surface bloat)
are an insane idea for security. They also lead to sites doing stupid
things like putting icons into the PUA of web fonts. They are yet
another reason why I'm wishing I could leave the web.




More information about the Pkg-fonts-devel mailing list