gateway: add trustless-only modeΒ #225
Description
What
There should be a way to only expose response types required by trustless mode.
The trustless-only mode must have two key features:
- client is provided with ability to fetch all information necessary for verifying and deserializing data (Block, CAR, and
ipfs-recordfrom IPIP-351) end-to-end. - it is impossible to make a mistake and send request that delegated trust to gateway
- when enabled, trusted responses are disabled
- for example, if someone sends request without explicit
Acceptor?format, gateway returns HTTP error 501 Not Implemented stating only verifiable response types are supported
How
TBD, we need some sane defaults that also account for users of library not shooting themselves in the foot if they do nothing.
- Only trustless responses by default
- add implicit exception for localhost / 127.0.0.1 / ::1)
- enabling trusted responses require explicit opt-in per hostname
Why
Hard lessons from project Rhea / Saturn about the tyranny of the default. Exposing deserialized responses in cases where a project only needs a subset of the entire gateway spec creates a surface for abuse.
It is way, way less work for everyone if boxo/gateway library provides a single configuration option to allow deserialized responses on non-localhost hostnames.