[tahoe-dev] Tahoe WUI enhancement suggestion

Daira Hopwood (formerly David-Sarah) davidsarah at leastauthority.com
Tue Jun 18 01:53:18 UTC 2013


On 18/06/13 02:18, Tony Arcieri wrote:
> On Mon, Jun 17, 2013 at 5:37 PM, Daira Hopwood (formerly David-Sarah)
> <davidsarah at leastauthority.com <mailto:davidsarah at leastauthority.com>> wrote:
> 
>     It's not easy to make the aliases [accessible] from the web-UI without
>     exposing them to cross-site scripting attacks.
> 
> Can you detail how XSS against an aliases list in the WUI would work?

If the aliases list is at a known URL, then any content in the same origin
could access all of the aliases.

Also see <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/98>, although that's
probably a bit difficult to follow since many things have changed since then.

> I'd like to think this sort of thing could be done safely, especially in
> modern web browsers 

The best way to fix it is using HTML5 sandbox, preferably specified using
Content Security Policy -- but that's bleeding edge, only in recent drafts
of CSP/HTML5 and not implemented yet.

-- 
Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130618/b1f9e3f9/attachment.pgp>


More information about the tahoe-dev mailing list