HTTPS pages should redirect IPFS subresources of a page to IPFS gateway #37534
Comments
kdenhartog
added
security
priority/P3
kdenhartog
changed the title
kdenhartog
changed the title
|
Noting that unless something regressed after #12546, IPFS resources loaded on HTTP(s) are already being blocked. |
|
I just double checked this and that's correct if the top level frame uses HTTPS scheme. If the top level frame is an IPFS scheme than the IPFS resource will be rendered still. I'll update the text here to be a bit more specific about this issue. |
|
Here's a good diagram to visualize how this should work from @vadimstruts shared in slack
|
|
Brave already has logic for detecting top-level IPFS resources based on the HTTPS URL in the address bar (path, subdomain, or dnslink gateways described here). All these Today, Brave detects and displays the badge on such pages: I think @vadimstruts's diagram is ok, it shows how Brave can fix IPFS websites loaded via public HTTP gateways. Loading An alternative, more decentralized version (for path and subdomain URLs) is to use the same origin as path or subdomain gateway user currently is, so if user has preference to use |
|
Here's an updated diagram as well since @diracdeltas caught a problem when discussing further on slack. |
|
This is deprecated by #37735 since we won't support ipfs schemes anymore. |
We should automatically convert IPFS subresources being loaded in an HTTPS top level frame to a public gateway URL that relies upon HTTPS as well rather than block them. If the top level frame uses an IPFS scheme then the current method of loading it via the local node should be used instead.
The text was updated successfully, but these errors were encountered: