[openstack-dev] [horizon] Concern about XStatic-bootswatch imports from fonts.googleapis.com

Diana Whitten hurgleburgler at gmail.com
Thu Sep 3 17:58:50 UTC 2015


Thomas,

Sorry for the slow response, since I wasn't on the right mailing list yet.

1. I'm trying to figure out the best way possible to address this security
breach.  I think that the best way to fix this is to augment Bootswatch to
only use the URL through a parameter, that can be easily configured.  I
have an Issue open on their code right now for this very feature.

Until then, I think that we can easily address the issue from the point of
view of Horizon, such that we:
1. Remove all instances of 'fonts.googleapis.com' from the SCSS during the
preprocessor step. Therefore, no outside URLs that point to this location
EVER get hit
*or*
2. Until the issue that I created on Bootswatch can be addressed,  we can
include that file that is making the call in the tree and remove the
@import entirely.
*or*
3. Until the issue that I created on Bootswatch can be addressed,  we can
include the two files that we need from bootswatch 'paper' entirely, and
remove Bootswatch as a requirement until we can get an updated package

2. Its not getting used at all ... anyways.  I packaged up the font and
make it also available via xstatic.  I realized there was some questions
about where the versioning came from, but it looks like you might have been
looking at the wrong github repo:
https://github.com/Templarian/MaterialDesign-Webfont/releases

You can absolutely patch out the fonts.  The result will not be ugly; each
font should fall back to a nice system font.  But, we are only using the
'Paper' theme out of Bootswatch right now and therefore only packaged up
the specific font required for it.

Ping me on IRC @hurgleburgler

- Diana


On Thu, Sep 3, 2015 at 9:55 AM, Thai Q Tran <tqtran at us.ibm.com> wrote:

>
>
>
> ----- Original message -----
> From: Thomas Goirand <zigo at debian.org>
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
> Cc:
> Subject: [openstack-dev] [horizon] Concern about XStatic-bootswatch
> imports from fonts.googleapis.com
> Date: Thu, Sep 3, 2015 4:30 AM
>
> Hi,
>
> When doing:
> grep -r fonts.googleapis.com *
>
> there's 56 lines of this kind of result:
> xstatic/pkg/bootswatch/data/cyborg/bootstrap.css:@import
> url("https://fonts.googleapis.com/css?family=Roboto:400,700");
>
> This is wrong because:
>
> 1/ This is a privacy breach, and one may not agree on hitting any web
> server which he doesn't control. It's a problem in itself for packaging
> in Debian, which is currently stopping me from uploading.
>
> 2/ More importantly (and even if you don't care about this kind of
> privacy breach), this requires Internet access, which isn't at all
> granted in some installations.
>
> So I wonder if using bootswatch, which includes such a problem, is
> really a good idea. Are these fonts import completely mandatory? Or can
> I patch them out? Will the result be ugly if I patch it out?
>
> Your thoughts?
>
> Cheers,
>
> Thomas Goirand (zigo)
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150903/e81e7f67/attachment.html>


More information about the OpenStack-dev mailing list