using ownCloud+remotestorage to edit my website
43 views
Skip to first unread message
Michiel de Jong
Nov 1, 2012, 2:22:46 PM11/1/12
to unhosted
hi!
i just wanted to tell you about how i have set up
owncloud+remotestorage to edit my website. When you store files on
owncloud via remotestorage, their Content-Type gets prepended,
followed by an ascii line feed. So when you look at the files on disk
you will see something like:
root@michielbdejong:/var/www/data/admin/unhosted_apps# head
websites/https_michielbdejong.com/index.html
text/html
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8' />
[...]
or:
root@michielbdejong:/var/www/data/admin/unhosted_apps# head
public/pictures/michiel.jpg
image/jpeg
????JFIFHH??XICC_PROFILEHLinomntrRGB XYZ ? 1acspMSFTIEC sRGB???-HP
cprtP3desc?lwtpt?bkptrXYZgXYZ,bXYZ@
[...]
So i wrote a short nodejs script that opens these files as Buffers,
then locates the first linefeed character with a (buffer[i]==10)
check, and then separates and serves the Content-Type and the document
content as desired.
I created a 'websites' module for now, but only put my index.html on
there; the picture is served from my public/pictures scope.
On a side note, this highlights the use for ETag headers, since now
when you visit https://michielbdejong.com/ the image will not ever be
cached by your browser.
I would discourage people from serving their website straight from the
public area on their remotestorage, both because it can not be the
root of a domain, which is a bit ugly, and because it opens cross-site
scripting risks; a malicious app could gain access to a seemingly
unimportant part of your remotestorage, then plant a javascript file
there, and execute it in the browser, thus gaining access to your
website's origin and whatever you may have on there. This is of course
especially relevant for origins on which you're hosting owncloud or
other cookie-based admin panels.
My next step will be to write a usable photo upload app using
javascript file upload, and a usable website editor app using
CodeMirror. For now, i'm developing this for personal use, and it's
quite experimental (i didn't even bother publishing the code yet) but
my idea is that in the future this could mature and become a way for
people to edit their own website through unhosted web apps.
Ciao!
Michiel
i just wanted to tell you about how i have set up
owncloud+remotestorage to edit my website. When you store files on
owncloud via remotestorage, their Content-Type gets prepended,
followed by an ascii line feed. So when you look at the files on disk
you will see something like:
root@michielbdejong:/var/www/data/admin/unhosted_apps# head
websites/https_michielbdejong.com/index.html
text/html
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8' />
[...]
or:
root@michielbdejong:/var/www/data/admin/unhosted_apps# head
public/pictures/michiel.jpg
image/jpeg
????JFIFHH??XICC_PROFILEHLinomntrRGB XYZ ? 1acspMSFTIEC sRGB???-HP
cprtP3desc?lwtpt?bkptrXYZgXYZ,bXYZ@
[...]
So i wrote a short nodejs script that opens these files as Buffers,
then locates the first linefeed character with a (buffer[i]==10)
check, and then separates and serves the Content-Type and the document
content as desired.
I created a 'websites' module for now, but only put my index.html on
there; the picture is served from my public/pictures scope.
On a side note, this highlights the use for ETag headers, since now
when you visit https://michielbdejong.com/ the image will not ever be
cached by your browser.
I would discourage people from serving their website straight from the
public area on their remotestorage, both because it can not be the
root of a domain, which is a bit ugly, and because it opens cross-site
scripting risks; a malicious app could gain access to a seemingly
unimportant part of your remotestorage, then plant a javascript file
there, and execute it in the browser, thus gaining access to your
website's origin and whatever you may have on there. This is of course
especially relevant for origins on which you're hosting owncloud or
other cookie-based admin panels.
My next step will be to write a usable photo upload app using
javascript file upload, and a usable website editor app using
CodeMirror. For now, i'm developing this for personal use, and it's
quite experimental (i didn't even bother publishing the code yet) but
my idea is that in the future this could mature and become a way for
people to edit their own website through unhosted web apps.
Ciao!
Michiel
Jan-Christoph Borchardt
Nov 1, 2012, 4:51:37 PM11/1/12
to unho...@googlegroups.com, Niklas Cathor, Michiel de Jong
Nice!
On Thu, Nov 1, 2012 at 7:22 PM, Michiel de Jong <mic...@unhosted.org> wrote:
> i just wanted to tell you about how i have set up
> owncloud+remotestorage to edit my website. When you store files on
> owncloud via remotestorage, their Content-Type gets prepended,
> followed by an ascii line feed. So when you look at the files on disk
> you will see something like:
Hm, does ownCloud do that or remotestorage? Shouldn’t remotestorage
public enable people to host their data raw?
> I would discourage people from serving their website straight from the
> public area on their remotestorage, both because it can not be the
> root of a domain, which is a bit ugly, and because it opens cross-site
> scripting risks; a malicious app could gain access to a seemingly
> unimportant part of your remotestorage, then plant a javascript file
> there, and execute it in the browser, thus gaining access to your
> website's origin and whatever you may have on there. This is of course
> especially relevant for origins on which you're hosting owncloud or
> other cookie-based admin panels.
Can you expand on why it can’t be the root of a domain? When I have a
domain and put a remotestorage software on it, is there no way to
serve it from domain.com/filename?
And the cross-site scripting risks – isn’t that something that should
be taken care of by the storage software?
On Thu, Nov 1, 2012 at 7:22 PM, Michiel de Jong <mic...@unhosted.org> wrote:
> i just wanted to tell you about how i have set up
> owncloud+remotestorage to edit my website. When you store files on
> owncloud via remotestorage, their Content-Type gets prepended,
> followed by an ascii line feed. So when you look at the files on disk
> you will see something like:
public enable people to host their data raw?
> I would discourage people from serving their website straight from the
> public area on their remotestorage, both because it can not be the
> root of a domain, which is a bit ugly, and because it opens cross-site
> scripting risks; a malicious app could gain access to a seemingly
> unimportant part of your remotestorage, then plant a javascript file
> there, and execute it in the browser, thus gaining access to your
> website's origin and whatever you may have on there. This is of course
> especially relevant for origins on which you're hosting owncloud or
> other cookie-based admin panels.
domain and put a remotestorage software on it, is there no way to
serve it from domain.com/filename?
And the cross-site scripting risks – isn’t that something that should
be taken care of by the storage software?
Michiel de Jong
Nov 1, 2012, 6:32:34 PM11/1/12
to Jan-Christoph Borchardt, unho...@googlegroups.com, Niklas Cathor
On Thu, Nov 1, 2012 at 9:51 PM, Jan-Christoph Borchardt
<h...@jancborchardt.net> wrote:
> Nice!
>
> On Thu, Nov 1, 2012 at 7:22 PM, Michiel de Jong <mic...@unhosted.org> wrote:
>> i just wanted to tell you about how i have set up
>> owncloud+remotestorage to edit my website. When you store files on
>> owncloud via remotestorage, their Content-Type gets prepended,
>> followed by an ascii line feed. So when you look at the files on disk
>> you will see something like:
>
> Hm, does ownCloud do that or remotestorage? Shouldn’t remotestorage
> public enable people to host their data raw?
the remotestorage functionality of the 'Unhosted apps' app for
<h...@jancborchardt.net> wrote:
> Nice!
>
> On Thu, Nov 1, 2012 at 7:22 PM, Michiel de Jong <mic...@unhosted.org> wrote:
>> i just wanted to tell you about how i have set up
>> owncloud+remotestorage to edit my website. When you store files on
>> owncloud via remotestorage, their Content-Type gets prepended,
>> followed by an ascii line feed. So when you look at the files on disk
>> you will see something like:
>
> Hm, does ownCloud do that or remotestorage? Shouldn’t remotestorage
> public enable people to host their data raw?
owncloud stores the data that way. It's because the file system
doesn't expose a way to store the Content-Type separately from the
file content.
> Can you expand on why it can’t be the root of a domain?
in module 'things', then it has to be at
{storage_root}/public/things/something
You cannot store a public document at {storage_root}/ or even
{storage_root}/index.html.
> When I have a
> domain and put a remotestorage software on it, is there no way to
> serve it from domain.com/filename?
that serves the domain root from some folder on your storage.
> And the cross-site scripting risks – isn’t that something that should
> be taken care of by the storage software?
about which apps she uses, but since apps get PUT access to the
remotestorage domain, they are at liberty to store any executable
javascript they want on there. The server could refuse to serve
certain dangerous Content-Types like text/html and
application/javascript, but then it would be in violation of the spec.
ciao,
Michiel
Nick Jennings
Nov 1, 2012, 11:03:24 PM11/1/12
to unho...@googlegroups.com
On Thu, Nov 1, 2012 at 6:22 PM, Michiel de Jong <mic...@unhosted.org> wrote:
> When you store files on
> owncloud via remotestorage, their Content-Type gets prepended,
> followed by an ascii line feed. So when you look at the files on disk
> you will see something like:
>
> root@michielbdejong:/var/www/data/admin/unhosted_apps# head
> websites/https_michielbdejong.com/index.html
Hi Michiel, how are you accessing your remoteStorage from the filesystem?
> When you store files on
> owncloud via remotestorage, their Content-Type gets prepended,
> followed by an ascii line feed. So when you look at the files on disk
> you will see something like:
>
> root@michielbdejong:/var/www/data/admin/unhosted_apps# head
> websites/https_michielbdejong.com/index.html
Michiel de Jong
Nov 2, 2012, 4:40:57 AM11/2/12
to unho...@googlegroups.com
server. the webserver i run on there does it with
fs.readFile(<fullPath>, cb)
> --
>
>
>
Melvin Carvalho
Nov 2, 2012, 6:51:37 AM11/2/12
to unho...@googlegroups.com
Looks cool.
Will you be using this as an 'indieweb' site, ie 'host your own identity'.
I was talking to tantek at tpac this week and we both think it would be cool to get a few indieweb sites interoperating.
I would discourage people from serving their website straight from the
public area on their remotestorage, both because it can not be the
root of a domain, which is a bit ugly, and because it opens cross-site
scripting risks; a malicious app could gain access to a seemingly
unimportant part of your remotestorage, then plant a javascript file
there, and execute it in the browser, thus gaining access to your
website's origin and whatever you may have on there. This is of course
especially relevant for origins on which you're hosting owncloud or
other cookie-based admin panels.
My next step will be to write a usable photo upload app using
javascript file upload, and a usable website editor app using
CodeMirror. For now, i'm developing this for personal use, and it's
quite experimental (i didn't even bother publishing the code yet) but
my idea is that in the future this could mature and become a way for
people to edit their own website through unhosted web apps.
Ciao!
Michiel
--
Reply all
Reply to author
Forward
0 new messages