[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header

tahoe-lafs trac at allmydata.org
Thu Oct 29 20:54:33 UTC 2009


#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
 Reporter:  warner             |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  0.7.0    
 Keywords:  security           |   Launchpad_bug:           
-------------------------------+--------------------------------------------

Comment(by davidsarah):

 For anyone trying to test option C, the syntax above was wrong; it should
 be
 {{{
 <script>window.location="javascript:window.location='capURL'"</script>
 }}}

 However, I'm not sure that options B or C work for what we are trying to
 do. The problem we're trying to solve is that following a link from the
 contents of a Tahoe file may reveal the file's URL ('capURL'). Options B
 and C prevent the page at 'capURL' from seeing the referring URL (of the
 page containing the JavaScript), but they don't prevent leakage of
 'capURL' to a site that the page at 'capURL' links to.

 Only option A allows to you prevent sending a Referer header when
 following a link from a page with arbitrary contents (by serving that page
 via FTP).

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:20>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list