To protect static content or not in Dart application.

[Jan Vladimir Mostert]

This question doesn't really fit on StackOverflow or Security StackExchange since it's a question where I'm looking for expert opinions ...

So you've built your enormous dart frontend app, 70000+ lines of gorgeous dart that compiles into a single minified JS file, 

you have about 50 html files, account.html, profile.html, abc.html, 404.html, etc which gets loaded by dart depending on the hash in the url

- eg #profile loads profile.html into a div on index.html

<body>

  <div id="content">

    profile.html content gets loaded here if url is #profile

  </div>

</body>

The only way to accses data is through AJAX requests to an API somewhere that is protected either by a session or by a token that's sitting in a secure httpOnly cookie and every ajax request includes this token automatically. Requests are cross-domain, but your have filters in place to only accept requests from the url your dart application sits on.

Now my question is, assuming the API is 100% secure, do you go through great lengths to protect the html files and other static content in your dart application or do you just leave it in the open?

Example1, if I now deploy the above mentioned dart application with all the html, compiled JS files etc directly into NGINX, I get a very snappy app since it's all static content delivered to the browser by an HTTP server that specialise in serving static content, but anyone can just type in website.com/html/profile.html and download the profile page's html even if they are not logged in, not that they can access data from the API, but the static html files are all open due to them being deployed as static content.

Example2: I now take all that static content, put it inside a a Jetty / Tomcat web app where each url has a filter in front of it, sacrifice a little bit of performance in the process, certain html files can now be accessed publicly whereas others can only be accessed if you have certain roles and permissions.

If I now type in #profile in my browser, the ajax request trying to load profile.html will give me a permission denied

Example3: Other scenarios I haven't thought about.

What approach do you take and what is your reasoning for doing so?

[Anders Holmgren]

I don't see anything to be gained by locking down static content. You want it eagerly cached and it doesn't represent any security issues unless I'm misunderstanding your question

That's why I do in backlog.io. It's a polymer front end and all the static parts having caching headers set and are public

[Jan Mostert]

That answers my question perfectly, thanks Anders!
So keeping it inside NGINX with heavy caching is what I'll do.

On Thu, 06 Aug 2015, 07:57 Anders Holmgren <andersm...@gmail.com> wrote:

I don't see anything to be gained by locking down static content. You want it eagerly cached and it doesn't represent any security issues unless I'm misunderstanding your question

That's why I do in backlog.io. It's a polymer front end and all the static parts having caching headers set and are public

--
For other discussions, see https://groups.google.com/a/dartlang.org/

For HOWTO questions, visit http://stackoverflow.com/tags/dart

To file a bug report or feature request, go to http://www.dartbug.com/new

To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.