Jan Vladimir Mostert
2015-08-05 19:54:38 UTC
This question doesn't really fit on StackOverflow or Security StackExchange
since it's a question where I'm looking for expert opinions ...
So you've built your enormous dart frontend app, 70000+ lines of gorgeous
dart that compiles into a single minified JS file,
you have about 50 html files, account.html, profile.html, abc.html,
404.html, etc which gets loaded by dart depending on the hash in the url
- eg #profile loads profile.html into a div on index.html
<body>
<div id="content">
profile.html content gets loaded here if url is #profile
</div>
</body>
The only way to accses data is through AJAX requests to an API somewhere
that is protected either by a session or by a token that's sitting in a
secure httpOnly cookie and every ajax request includes this token
automatically. Requests are cross-domain, but your have filters in place to
only accept requests from the url your dart application sits on.
Now my question is, assuming the API is 100% secure, do you go through
great lengths to protect the html files and other static content in your
dart application or do you just leave it in the open?
Example1, if I now deploy the above mentioned dart application with all the
html, compiled JS files etc directly into NGINX, I get a very snappy app
since it's all static content delivered to the browser by an HTTP server
that specialise in serving static content, but anyone can just type in
website.com/html/profile.html and download the profile page's html even if
they are not logged in, not that they can access data from the API, but the
static html files are all open due to them being deployed as static content.
Example2: I now take all that static content, put it inside a a Jetty /
Tomcat web app where each url has a filter in front of it, sacrifice a
little bit of performance in the process, certain html files can now be
accessed publicly whereas others can only be accessed if you have certain
roles and permissions.
If I now type in #profile in my browser, the ajax request trying to load
profile.html will give me a permission denied
Example3: Other scenarios I haven't thought about.
What approach do you take and what is your reasoning for doing so?
since it's a question where I'm looking for expert opinions ...
So you've built your enormous dart frontend app, 70000+ lines of gorgeous
dart that compiles into a single minified JS file,
you have about 50 html files, account.html, profile.html, abc.html,
404.html, etc which gets loaded by dart depending on the hash in the url
- eg #profile loads profile.html into a div on index.html
<body>
<div id="content">
profile.html content gets loaded here if url is #profile
</div>
</body>
The only way to accses data is through AJAX requests to an API somewhere
that is protected either by a session or by a token that's sitting in a
secure httpOnly cookie and every ajax request includes this token
automatically. Requests are cross-domain, but your have filters in place to
only accept requests from the url your dart application sits on.
Now my question is, assuming the API is 100% secure, do you go through
great lengths to protect the html files and other static content in your
dart application or do you just leave it in the open?
Example1, if I now deploy the above mentioned dart application with all the
html, compiled JS files etc directly into NGINX, I get a very snappy app
since it's all static content delivered to the browser by an HTTP server
that specialise in serving static content, but anyone can just type in
website.com/html/profile.html and download the profile page's html even if
they are not logged in, not that they can access data from the API, but the
static html files are all open due to them being deployed as static content.
Example2: I now take all that static content, put it inside a a Jetty /
Tomcat web app where each url has a filter in front of it, sacrifice a
little bit of performance in the process, certain html files can now be
accessed publicly whereas others can only be accessed if you have certain
roles and permissions.
If I now type in #profile in my browser, the ajax request trying to load
profile.html will give me a permission denied
Example3: Other scenarios I haven't thought about.
What approach do you take and what is your reasoning for doing so?
--
For other discussions, see https://groups.google.com/a/dartlang.org/
For HOWTO questions, visit http://stackoverflow.com/tags/dart
To file a bug report or feature request, go to http://www.dartbug.com/new
To unsubscribe from this group and stop receiving emails from it, send an email to misc+***@dartlang.org.
For other discussions, see https://groups.google.com/a/dartlang.org/
For HOWTO questions, visit http://stackoverflow.com/tags/dart
To file a bug report or feature request, go to http://www.dartbug.com/new
To unsubscribe from this group and stop receiving emails from it, send an email to misc+***@dartlang.org.