You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now the utterances API is hosted on Azure and client.js is hosted utteranc.es. So far, this project has been rock solid. Should the utteranc.es domain expire and a bad actor grabs hold of it, then many blogs will be subject to a painful attack, where client.js can be replaced with anything.
So I want to make sure, does this project require help or funding, to secure utteranc.es's future? Or is it fine for the next decade?
Ideally, there should be a way to host client.js by oneself and still allow the interconnect to the utteranc.es API. Practically, this is not possible, due to how CSRF and authentication interact. So if there is a way to allow the static client.js to be hosted by oneself, without the self-hosting of the API, then I think this project should pursue it.
The text was updated successfully, but these errors were encountered:
Right now the utterances API is hosted on Azure and
client.jsis hostedutteranc.es. So far, this project has been rock solid. Should theutteranc.esdomain expire and a bad actor grabs hold of it, then many blogs will be subject to a painful attack, whereclient.jscan be replaced with anything.So I want to make sure, does this project require help or funding, to secure
utteranc.es's future? Or is it fine for the next decade?Ideally, there should be a way to host
client.jsby oneself and still allow the interconnect to theutteranc.esAPI. Practically, this is not possible, due to how CSRF and authentication interact. So if there is a way to allow the staticclient.jsto be hosted by oneself, without the self-hosting of the API, then I think this project should pursue it.The text was updated successfully, but these errors were encountered: