Right now the utterances API is hosted on Azure and client.js is hosted utteranc.es. So far, this project has been rock solid. Should the utteranc.es domain expire and a bad actor grabs hold of it, then many blogs will be subject to a painful attack, where client.js can be replaced with anything.
So I want to make sure, does this project require help or funding, to secure utteranc.es's future? Or is it fine for the next decade?
Ideally, there should be a way to host client.js by oneself and still allow the interconnect to the utteranc.es API. Practically, this is not possible, due to how CSRF and authentication interact. So if there is a way to allow the static client.js to be hosted by oneself, without the self-hosting of the API, then I think this project should pursue it.
Right now the utterances API is hosted on Azure and
client.jsis hostedutteranc.es. So far, this project has been rock solid. Should theutteranc.esdomain expire and a bad actor grabs hold of it, then many blogs will be subject to a painful attack, whereclient.jscan be replaced with anything.So I want to make sure, does this project require help or funding, to secure
utteranc.es's future? Or is it fine for the next decade?Ideally, there should be a way to host
client.jsby oneself and still allow the interconnect to theutteranc.esAPI. Practically, this is not possible, due to how CSRF and authentication interact. So if there is a way to allow the staticclient.jsto be hosted by oneself, without the self-hosting of the API, then I think this project should pursue it.