Description
Consolidating information from a slack thread:
I’ve been thinking about adding a configuration page to the service worker gateway, so folks can configure their own gateways/routers/etc, similar to ipfs-companion, but it would be accessible via the main page of the service-worker-gateway. any interest in that….?
What config?
What should we be able to configure?
The configuration page at deployed-sw-gateway.example.com root should allow the user to
See
- build version
Modify
- trustless gateways
- delegated routing endpoints
- DoH resolvers used
- an option to trigger worker reload on all subdomains (maybe via cookie mentioned below)
Potential solutions
Cookies
We shouldn't allow much control via a cookie because of the damage dApps on other subdomains could cause.
dApps could purposefully override trustless-gateways & other settings. See https://www.rfc-editor.org/rfc/rfc6265#section-8.6:
The foo.example.com server can set a cookie with a
Domain attribute of "example.com" (possibly overwriting an existing
"example.com" cookie set by bar.example.com), and the user agent will
include that cookie in HTTP requests to bar.example.com. In the
worst case, bar.example.com will be unable to distinguish this cookie
from a cookie it set itself. The foo.example.com server might be
able to leverage this ability to mount an attack against
bar.example.com.
from @lidel
I think it is better to do things correctly and limit cookie only as a blunt flag, at most for triggering reload, dont pass any sensitive config
iFrame message passing
We should be able to do this since the configuration could be writable only from the root, and would be read-only from subdomains.
### Tasks
- [ ] import/export of config as json file
- [ ] display default providers
- [ ] allow configuring dns resolvers
- [ ] change gateways/routers input from json to input with list items of configured gateways (trash icon - click to remove)
- [ ] reset config to default (to allow users to save themselves if they bork things)