[tahoe-dev] [cap-talk] do caps-in-URLs work in practice? (was: Disabling clipboard access in Internet Explorer)
zooko
zooko at zooko.com
Wed Dec 3 10:20:54 PST 2008
Tyler Close wrote to me privately. I'm taking the liberty of
replying publicly. I hope that's all right.
On Dec 2, 2008, at 14:31 PM, Tyler Close wrote:
> Could you provide links to Nathan and Collin's arguments?
http://allmydata.org/pipermail/tahoe-dev/2008-February/000404.html
http://allmydata.org/pipermail/tahoe-dev/2008-November/000865.html
> The printing argument doesn't seem so obvious to me. I think having
> the cap on the printout is a good thing, assuming it's the cap for
> the read-only facet of the file.
Well, the most common caps in tahoe currently are caps to immutable
files (so of course the caps provide read-only access). But it is
possible that someone could view a read-write cap to a file, or a
read-only cap to a mutable file or directory, and then print it. If
the cap is printed onto the page (in the URL), then the user might be
surprised that they were giving more authority to someone than they
intended, when giving them a printout.
A printout is typically assumed to convey only read authority to that
particular fixed representation of the data, doesn't it? ;-) On the
other hand, I like it when a printout has a URL on it where I can
read new versions of the same document.
I wonder if those browsers that print out the URL in the footer would
include a URL fragment? Hey, I have Firefox-3 here -- I can try it:
http://allmydata.org/~zooko/testwikiprintout.pdf
The answer is that Firefox-3.0.4 on Mac doesn't add any such footer.
Kind of unfortunate -- since the URL in question is the read-only cap
to the current version of my blog (i.e., conveying exactly the same
authority that a normal URL does), and I would like that to be
appended. Oh, I see you can configure Firefox-3 to do this -- on Mac
OS X it is in the print dialog under a tab named "firefox". Here is
the result:
http://allmydata.org/~zooko/testwikiprintout-with-URL-footer.pdf
Too bad! Tahoe's caps are too long to print in a footer.
At the moment I'm not too worried about the URLs-in-footers issue.
I await more specific security arguments (ideally actual demos/
exploits) which can guide us to improve the way Tahoe uses caps on
the web.
Regards,
Zooko
More information about the tahoe-dev
mailing list