[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?

tahoe-lafs trac at allmydata.org
Sat Nov 7 08:09:56 UTC 2009


#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
---------------------------+------------------------------------------------
     Reporter:  zooko      |        Type:  defect           
       Status:  new        |    Priority:  critical         
    Milestone:  undecided  |   Component:  code-frontend-web
      Version:  1.3.0      |    Keywords:  newcaps security 
Launchpad_bug:             |  
---------------------------+------------------------------------------------

Comment(by davidsarah):

 Ooh, this is interesting:

 http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html

 > If url identifies a resource that is its own trust domain (e.g. it
 identifies an e-mail on an IMAP server or a post on an NNTP server) then
 return a globally unique identifier specific to the resource identified by
 url, so that if this algorithm is invoked again for URLs that identify the
 same resource, the same identifier will be returned.

 > If url does not use a server-based naming authority, or if parsing url
 failed, or if url is not an absolute URL, then return a new globally
 unique identifier.

 I don't know whether this is new proposed HTML5 behaviour, or what
 browsers currently implement. If the latter, then we could try using an
 IMAP or NNTP server for the WUI -- bizarre, but possibly simpler than my
 iframe suggestion above, if it works.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/615#comment:10>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list