Re: [Sks-devel] javascript web of trust visualization: CORS and keyserve

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] javascript web of trust visualization: CORS and keyserve

From:	Geoffrey Irving
Subject:	Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
Date:	Sun, 8 Sep 2013 13:05:51 -0700

On Sep 8, 2013, at 12:14 PM, Geoffrey Irving <address@hidden> wrote:

> I am writing a little web-of-trust visualizer in javascript:
> 
>    https://github.com/girving/trust
>    http://naml.us/trust
> 
> The goal is to make it easy for people to both visualize their own webs of 
> trust and the webs of trusts of others, without having to install various 
> scripts and gpg.  Hopefully easier pretty pictures will motivate a few more 
> people to learn about this stuff.  This is a first prototype, so apologies 
> for the lack of explanation on the page and all the bugs (the links are red 
> because all signature verification fails).  Also my web of trust is rather 
> tiny, currently.
> 
> Caveats aside, I have one issue and one request:
> 
> The issue: existing keyservers don't implement the CORS protocol 
> (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing), so javascript 
> code is disallowed from accessing them directly.  Fixing this is a matter of 
> adding the header "access-control-allow-origin *" to hkp responses.
> 
> The request: are there any volunteers happy with me pointing the code at 
> their keyserver by default?  If yes, would you be okay adding the CORS 
> headers?  I am happy to write the patch if someone doesn't beat me to it.
> 
> Ideally I would like to eliminate the proxy server and move to pure 
> javascript once CORS is in place, but if others feel this would cause too 
> much keyserver spam I can also expand my proxy server to do more caching 
> (which unfortunately complicates deployment for others wishing to experiment).
> 
> Thanks,
> Geoffrey

Here's candidate patch implementing CORS.  It is completely untested (except 
that it builds), and makes the entire webserver completely CORS-open.  This 
shouldn't be a problem for keyservers, since third party javascript code isn't 
any different from third party non-javascript code, and the keyserver has no 
javascript code of its own.  I added a few comments to the changed functions 
emphasizing they should only be used for public data; these can be stripped or 
expanded as others prefer.  Let me know if this patch is acceptable, or if any 
changes are desired.

Thanks,
Geoffrey

sks-keyserver-cors.patch
Description: Binary data

signature.asc
Description: Message signed with OpenPGP using GPGMail

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving, 2013/09/08
- Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving <=
  - Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Christoph Anton Mitterer, 2013/09/10
    - Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving, 2013/09/10
    - Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam, Geoffrey Irving, 2013/09/10

Prev by Date: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
Next by Date: [Sks-devel] Question about key hash calculation
Previous by thread: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
Next by thread: Re: [Sks-devel] javascript web of trust visualization: CORS and keyserver spam
Index(es):
- Date
- Thread