| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>Security Considerations for PageSpeed</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>Security Considerations for PageSpeed</h1> |
| |
| |
| <p> |
| Any change to a website has the possibility of introducing new security holes. |
| Pagespeed is not an exception to this rule. This document covers specific |
| security concerns to keep in mind when using PageSpeed. |
| </p> |
| |
| <h2 id="untrusted_content">Untrusted Content</h2> |
| <p> |
| Any time you reference untrusted content on your website, you are at risk of |
| security attack. This is most clear for JavaScript which will have access to |
| your domain's cookies because of the Same Origin Policy. It can also be true |
| for CSS, which can contain JavaScript references (ex. the IE behavior |
| property described in this |
| <a href="http://www.w3.org/TR/1999/WD-becss-19990804#behavior">W3C reference</a> |
| and at this <a href="http://reference.sitepoint.com/css/behavior">reference</a> |
| by SitePoint®. Even images in certain situations can be used in attacks |
| (ex: <a href="http://hackaday.com/2008/08/04/the-gifar-image-vulnerability/"> |
| GIFAR attack</a>). |
| </p> |
| <p class="caution"> |
| <strong>Caution:</strong> |
| Do not reference untrusted content on your website. If you do store |
| user content or other untrusted content, keep it on a separate cookie-less |
| domain and do <strong>NOT</strong> tell PageSpeed to rewrite from that |
| domain to your main cookied domain. |
| </p> |
| |
| <h2 id="private_content">Private Content</h2> |
| <p> |
| PageSpeed rewrites and, effectively, proxies resources referenced in |
| the main HTML document. It respects public caching headers, so if a resource |
| is not explicitly marked public cacheable, PageSpeed will not rewrite |
| nor re-serve it. However, PageSpeed will re-serve resources which |
| <strong>ARE</strong> publicly cacheable. |
| If you serve private content as publicly cacheable, |
| PageSpeed will proxy it to any who requests a specific URL. Note that any |
| public proxy in the Internet can do the same thing. |
| </p> |
| <p class="caution"> |
| <strong>Caution:</strong> |
| Explicitly mark private content as not publicly cacheable. |
| </p> |
| |
| |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |