[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header

tahoe-lafs trac at allmydata.org
Thu Oct 29 19:04:43 UTC 2009


#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
 Reporter:  warner             |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  0.7.0    
 Keywords:  security           |   Launchpad_bug:           
-------------------------------+--------------------------------------------

Comment(by davidsarah):

 If all of these work, option C seems to be the simplest. Option A requires
 an ftp server, which seems like an unwarranted excursion if we can
 possibly avoid it. Option B depends on more of the DOM and HTML, hence
 greater exposure to browser idiosyncrasies, than option C does.

 (The location URL in option C needs to be properly escaped for an URL-in-
 JSStringLiteral-in-HTML-in-JSStringLiteral-in-JSStringLiteral-in-HTML, but
 that's straightforward :-)

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:17>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list