pabs at debian.org
Thu Aug 22 07:34:38 UTC 2013
implementation) I have always thought it was a bad idea, especially
at minimum is an information leakage. With JS or CSS it might lead to
security issues in the web apps on the same domain. Instead, the
scripts used for setting up vhosts should reference the needed
CSS/JS/etc dependencies using the web server or framework
configuration. In addition, you can never know which URLs a specific
web app, vhost or instance of a web app will use at runtime, so
/_assets or /_sysassets is a recipe for annoying our users (social
contract says no).
I also think web fonts (and other recent browser attack-surface bloat)
are an insane idea for security. They also lead to sites doing stupid
things like putting icons into the PUA of web fonts. They are yet
another reason why I'm wishing I could leave the web.
More information about the Pkg-fonts-devel