<div dir="ltr"><div><div><div>Thomas,<br><br></div>Sorry for the slow response, since I wasn't on the right mailing list yet.<br><br></div>1. I'm trying to figure out the best way possible to address this security breach. I think that the best way to fix this is to augment Bootswatch to only use the URL through a parameter, that can be easily configured. I have an Issue open on their code right now for this very feature.<br><br>Until then, I think that we can easily address the issue from the point of view of Horizon, such that we:<br><div style="margin-left:40px">1. Remove all instances of '<a href="http://fonts.googleapis.com">fonts.googleapis.com</a>' from the SCSS during the preprocessor step. Therefore, no outside URLs that point to this location EVER get hit<br></div><div style="margin-left:80px"><div style="margin-left:40px"><b>or</b><br></div></div><div style="margin-left:40px">2. Until the issue that I created on Bootswatch can be addressed, we can include that file that is making the call in the tree and remove the @import entirely. <br></div><div style="margin-left:40px"><div style="margin-left:40px"><div style="margin-left:40px"><b>or</b><br></div></div></div><div style="margin-left:40px">3.
Until the issue that I created on Bootswatch can be addressed, we can
include the two files that we need from bootswatch 'paper' entirely, and remove Bootswatch as a requirement until we can get an updated package<br></div></div><div><div><br></div><div>2. Its not getting used at all ... anyways. I packaged up the font and make it also available via xstatic. I realized there was some questions about where the versioning came from, but it looks like you might have been looking at the wrong github repo: <a href="https://github.com/Templarian/MaterialDesign-Webfont/releases">https://github.com/Templarian/MaterialDesign-Webfont/releases</a><br><br></div><div>You can absolutely patch out the fonts. The result will not be ugly; each font should fall back to a nice system font. But, we are only using the 'Paper' theme out of Bootswatch right now and therefore only packaged up the specific font required for it.<br><br></div><div>Ping me on IRC @hurgleburgler<br></div><div><br></div><div>- Diana<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 3, 2015 at 9:55 AM, Thai Q Tran <span dir="ltr"><<a href="mailto:tqtran@us.ibm.com" target="_blank">tqtran@us.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" style="font-family:Arial;font-size:10.5pt"><div dir="ltr"> </div>
<div dir="ltr"> </div>
<blockquote dir="ltr" style="border-left:2px solid rgb(170,170,170);margin-left:5px;padding-left:5px;direction:ltr">----- Original message -----<br>From: Thomas Goirand <<a href="mailto:zigo@debian.org" target="_blank">zigo@debian.org</a>><br>To: "OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>Cc:<br>Subject: [openstack-dev] [horizon] Concern about XStatic-bootswatch imports from <a href="http://fonts.googleapis.com" target="_blank">fonts.googleapis.com</a><br>Date: Thu, Sep 3, 2015 4:30 AM<br>
<div><font face="Default Monospace,Courier New,Courier,monospace" size="2">Hi,<br><br>When doing:<br>grep -r <a href="http://fonts.googleapis.com" target="_blank">fonts.googleapis.com</a> *<br><br>there's 56 lines of this kind of result:<br>xstatic/pkg/bootswatch/data/cyborg/bootstrap.css:@import<br>url("<a href="https://fonts.googleapis.com/css?family=Roboto:400,700" target="_blank">https://fonts.googleapis.com/css?family=Roboto:400,700</a>");<br><br>This is wrong because:<br><br>1/ This is a privacy breach, and one may not agree on hitting any web<br>server which he doesn't control. It's a problem in itself for packaging<br>in Debian, which is currently stopping me from uploading.<br><br>2/ More importantly (and even if you don't care about this kind of<br>privacy breach), this requires Internet access, which isn't at all<br>granted in some installations.<br><br>So I wonder if using bootswatch, which includes such a problem, is<br>really a good idea. Are these fonts import completely mandatory? Or can<br>I patch them out? Will the result be ugly if I patch it out?<br><br>Your thoughts?<br><br>Cheers,<br><br>Thomas Goirand (zigo)<br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></font><br> </div></blockquote>
<div dir="ltr"> </div></div><br>
</blockquote></div><br></div></div>