mod_pagespeed Inlining resources without explicit authorization - safe in XenForo?

Amin Sabet

Well-known member
From: https://developers.google.com/speed/pagespeed/module/domains

Inlining resources without explicit authorization
Note: New feature as of 1.8.31.2

Several filters in PageSpeed operate by inlining content from resources into the HTML: inline_css, inline_javascript and prioritize_critical_css are a few of the filters that operate in this manner. If resources from third-party domains are not authorized explicitly, the effectiveness of these filters decreases. For instance, prioritize_critical_css attempts to remove blocking CSS requests needed for the initial render by inlining critical CSS snippets into the HTML, however, the CSS resources that are not authorized will continue to block. This option allows such resources to be inlined without having to authorize all the individual domains.

The InlineResourcesWithoutExplicitAuthorization directive can be used to allow resources from third-party domains to be inlined into the HTML without requiring explicit authorization for each domain. This option is “off” by default, and takes a comma-separated list of strings representing resource categories for which the option should be enabled. The list of valid resource categories is given here. Currently, only Script and Stylesheet resource types are supported for this option.

This option can be enabled as follows:
Apache:

ModPagespeedInlineResourcesWithoutExplicitAuthorizationScript,Stylesheet
Nginx:

pagespeed InlineResourcesWithoutExplicitAuthorizationScript,Stylesheet;
Warning: Enabling InlineResourcesWithoutExplicitAuthorization could permit hostile third parties to access any machine and port that the server running mod_pagespeed has access to, including potentially those behind firewalls. Please read the following information for details.

This directive should only be enabled if all of the following conditions are met for the resource types for which this option is enabled:

  1. The webmaster is confident that the resources referenced on their pages are from trusted domains only.
  2. The site does not allow user-injected resources for the enabled resource types.
  3. Fetches from the PageSpeed server should have no more access to machines or ports than anyone on the Internet, and machines it can access should not treat its traffic specially. Specifically, the PageSpeed servers should not be able to access anything that is internal to a firewall. Please refer to Fetch server restrictions sections for more details.
Note that resources inlined into HTML via this option will not be accessible directly via a pagespeed URL, since that involves different security risks. Resources will also not be inlined into other non-HTML resources via this option. This means that flatten_css_imports will not flatten third-party CSS into another CSS resource, unless the relevant third-party domains are authorized explicitly via one of the techniques mentioned in the previous sections.

Is this safe to enable in XenForo?

Does XenForo allow user-injected resources for scripts and stylesheets?
 
Top Bottom