I have a public ipfs read-only gateway node, which I’m using for serving only the static files like json/jpg/mp4.
I’ve read about the possibility of XSS attacks on my public gateway so my users may be affected from it.
I’ve looked into Address IPFS on the Web | IPFS Docs
but I think I don’t need subdomain gateways to mitigate the issue because I’m not hosting any web applications or websites from my gateway.
My current node configuration is like this but I can’t be sure if I’m doing it right.
If you aren’t hosting any app on the gateway I guess that mean you are only serving static files.
And gateways does not allow registering web workers that could modify the content, so the static files can’t be touched by the xss.
In other words, is an xss that can do nothing an issue ? (no it isn’t)
If you are using it to host an app, you are right, you need a subdomain based one.
That means the IPFS gateway will only serve files present in it’s datastore and not download from the IPFS network (that require you to pin the files first, else they wont be present and it would fail).
Just to understand correctly, if I were to serve files from another nodes then I should enforce site isolation. Let’s say I’ve registered my gateway at mypublicgateway.com and serving content at mypublicgateway.com/ipfs/<CID> path. In this case I just have to add the following to my gateway configuration, right ?