feat: allow /ipns/webui.ipfs.io on api port #6530
Conversation
We want to allow user to try out the latest versions of the webui before they are officially released with go-ipfs. Right now ipfs-companion includes a workaround to strip the origin header from blessed, new versions of webui, to allow this, but it causes other issues, so we'd like to replace that hack, with this feature. see: ipfs/ipfs-companion#736
We want to allow user to try out the latest versions of the webui before they are officially released with js-ipfs. Context: ipfs/ipfs-companion#736 go-ipfs counterpart: ipfs/kubo#6530 License: MIT Signed-off-by: Marcin Rataj <lidel@lidel.org>
|
I'm a bit concerned about a MITM attack given that DNSLink doesn't check DNSSEC/DNS over TLS. An attacker on, e.g., a coffee shop network could replace the webui and mess with the API directly. |
|
What if we require presence of valid DNSSEC records when ps. at the moment ipfs.io does not have DNSSEC: result from https://dnssec-analyzer.verisignlabs.com/ |
|
Ideally, we'd do that and use DNS over TLS. Alternatively, we could try to use normal certificates. I'm not sure how much DNSSEC should be trusted. |
|
Yes, DNS over TLS/HTTPS is the key mitigation against coffee shop MITM. Either way, this means go-ipfs should not use DNS provided by OS, as we don't know if the response was obtained over TLS. We need to pick a default resolver with support for DNS over TLS (or HTTPS) + make it possible for users to set a different one via config (basically what Firefox does for DNS over HTTPS). Filled #6532 to discuss the details. |
|
I don't believe we need this anymore. With subdomain gateway on localhost (#6096), users who want to use the latest Web UI can add In the future Companion will provide a simple toggle for opt-in into latest webui: ipfs/ipfs-companion#860 Ok to close? |
We want to allow user to try out the latest versions of the webui before they are officially released with go-ipfs.
With this change in place, a user will be able to visit http://localhost:5001/ipns/webui.ipfs.io
and have it fetch the latest version of the webui. go-ipfs can and should continue to ship with a hardcoded CID for a stable release of webui that it has been tested with, but including the ipns address in the list allows us to test out newer versions.
Right now ipfs-companion includes a workaround to strip the origin header from blessed, new versions of webui, to allow this, but it causes other issues, so we'd like to replace that hack, with this feature.
see: ipfs/ipfs-companion#736