Secure headers, reduce static content size

styxit / HTPC-Manager

A fully responsive interface to manage all your favorite software on your Htpc.

http://htpc.io

MIT License

529 stars 183 forks source link

Secure headers, reduce static content size #302

Closed Hellowlol closed 9 years ago

Hellowlol commented 9 years ago

This pr is about reducing size of the stuff that gets loaded, like images/css/js etc and to make htpc manager a little more secure against xss attacks.
Auth is disabled for all static content.
Remove some unneeded code

Closes https://github.com/styxit/HTPC-Manager/issues/272

Hellowlol commented 9 years ago

Seems like nonsense, it's still possible to modify a file even if it's minified. If that's a problem I can replace the files I have minified with the authors own minified file..

Glandos commented 9 years ago

OK, I understand this is a hard debate that triggered a lot of flame wars. But no, a minified file is not a source file. It is like a compiled binary. I can modify a binary using an hex editor, however, providing a compiled binary is not releasing a software as open-sourced. I totally understand the reason of minified JS. But in the source tree, they should be plain text. If someone wants to launch the software, it is not hard to add a one-time step that minify it.

I'm sorry to be so much a pain, but minified script are complicated to handle: it's difficult to compare them with their original source to know if they were not altered for example.

Hellowlol commented 9 years ago

Feel free to send a pr regarding the makefile, I cba. @styxit feel free to close this.

madclicker commented 9 years ago

This is a good idea!

I took the liberty of grabbing your minified versions.

I've been in the foss game for well over 15 years:

http://www.who.is/whois/openscripts.com

and this is the stupidest thing I've ever heard, and believe me, I've heard plenty of stupid shit said!

Hellowlol commented 9 years ago

@madclicker great, I was gonna push this to pytunes aswell

Glandos commented 9 years ago

https://lists.debian.org/debian-devel/2014/03/msg00190.html and especially this answer: https://lists.debian.org/debian-devel/2014/03/msg00204.html As you can see, the topic is really long. One can say that this is good or bad. But thinking this question is stupid in itself means that you have no way to be packaged one day. May be you don't mind…

Hellowlol commented 9 years ago

I know nothing about about licenses. I can google tho https://www.gnu.org/licenses/javascript-labels.html. I just don't care. The file you dropped the note about was dual licensed with mit so I hope I can just add license info at the top.

madclicker commented 9 years ago

FOSS is not about formatting. Hellowlol only reformatted the originals. The original formatted source is still available.

@Hellowlol What did you use to minify the js? Does it work for css? I think after the project reaches stability this would be good for all js and css TEXT files.

Hellowlol commented 9 years ago

I just grabbed the optimized version that pagespeed linked to and manually pasted that into the file. (To keep version info etc). I have no idea, we should use some other tool where this can be automated on run time.

styxit commented 9 years ago

Very often my requests take a long time, so gaining some performance is something i would like to achieve and think this is a good start.

About the licences for JS libraries; Maybe we should include the original source and a minified version, and only use the minified version?

Hellowlol commented 9 years ago

Can do :)

Glandos commented 9 years ago

@styxit No problem. After all, I've just checked your license, and you're on MIT. Since jQuery is also on MIT (and on GPL, but you can chose the one you prefer), I think it should be OK to have both side by side (jquery.js.dist for example).

Sorry for the noise. I just wanted to avoid a future trouble, but I am clearly not on duty to hunt this issues :wink:

HTPC-manager is a great software, and I'm still using it anyway!