Open lidel opened 2 days ago
@SgtPooki found this after testing latest main branch with https://github.com/ipfs/ipfs-webui/issues/2250 merged, preferably we would fix this and then tag a release to close the privacy leak for private swarm users.
(fine to pick it up after you are back from JS week, we just want to include it in Kubo 0.31 https://github.com/ipfs/kubo/issues/10499)
@lidel explorer components should only be calling remote gateways if it's enabled: https://github.com/ipfs/ipld-explorer-components/blob/cad6b454ec83940dea86ee1bfb20c415ce9efd18/src/lib/init-helia.ts#L20-L40
I think we can just add a localStorage.setItem('explore.ipld.gatewayEnabled', false)
in ipfs-webui to disable this behavior for webui
@SgtPooki tried that, but then nothing works, just infinite spinner (for blocks that were not cached).
feels like there needs to be another setting which only uses specific gateway (webui would pass localhost one) and does not use delegated routing?
Bug
Explore page triggers block and delegated routing request to remote HTTP servers, including ones outside of control of IPFS project.
This is bad because it does not leverage local gateway, wastes bandwidth, and leaks IPs and CIDs to third party servers, which is extra bad in private cluster contexts.
Expected behavior
Only the local Kubo RPC and Gateway should be used when IPLD Explorer is used in ipfs-webui.
/routing/v1
calls (local gateway will take care of routing, no need for doing it in JS over the internet)?format=raw
should only go to localhost gateway (like we do for file previews)