Future proofing

[FrostKiwi]

Right now the utterances API is hosted on Azure and client.js is hosted utteranc.es. So far, this project has been rock solid. Should the utteranc.es domain expire and a bad actor grabs hold of it, then many blogs will be subject to a painful attack, where client.js can be replaced with anything.

So I want to make sure, does this project require help or funding, to secure utteranc.es's future? Or is it fine for the next decade?

Ideally, there should be a way to host client.js by oneself and still allow the interconnect to the utteranc.es API. Practically, this is not possible, due to how CSRF and authentication interact. So if there is a way to allow the static client.js to be hosted by oneself, without the self-hosting of the API, then I think this project should pursue it.

[Serpentarius13]

We can host it on https://www.jsdelivr.com/ which is an industry standard for hosting scripts. It is a free CDN also

[FrostKiwi]

We can host it on https://www.jsdelivr.com/ which is an industry standard for hosting scripts. It is a free CDN also

You are correct.

I was under the impression, that one cannot self-host client.js without self-hosting the full utterances backend as hosted on Azure. But that's not quite true, I misread how

utterances/src/client.ts

Line 75 in 9e79bda

const utterancesOrigin = script.src.match(/^https:\/\/utteranc\.es|http:\/\/localhost:\d+/)![0];

works.

Anything beyond that is off-limits. Also no way to change font color etc. beyond the themes in the repo without self-hosting the backend, due to cross-domain security rules.

In the grand scheme of things this doesn't matter though in a domain expiration case, as you still allow the holder of utteranc.es to put anything on your website via the i-frame. 🤔

So the main question remains: Is the domain safe for the next decade, any monetary help needed to safe-guard the domain + the cost for running the Azure backend or should users migrate to giscus if talk on preserving comments for the 10 years.

[Serpentarius13]

@FrostKiwi What do you mean by "cross-domain security rules"? You mean that it is hard-coded in the script to have certain origin, or we wouldn't be able to postMessage if the script is moved to jsdevilr?