[tahoe-dev] Tahoe WUI enhancement suggestion
Daira Hopwood (formerly David-Sarah)
davidsarah at leastauthority.com
Tue Jun 18 01:53:18 UTC 2013
On 18/06/13 02:18, Tony Arcieri wrote:
> On Mon, Jun 17, 2013 at 5:37 PM, Daira Hopwood (formerly David-Sarah)
> <davidsarah at leastauthority.com <mailto:davidsarah at leastauthority.com>> wrote:
>
> It's not easy to make the aliases [accessible] from the web-UI without
> exposing them to cross-site scripting attacks.
>
> Can you detail how XSS against an aliases list in the WUI would work?
If the aliases list is at a known URL, then any content in the same origin
could access all of the aliases.
Also see <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/98>, although that's
probably a bit difficult to follow since many things have changed since then.
> I'd like to think this sort of thing could be done safely, especially in
> modern web browsers
The best way to fix it is using HTML5 sandbox, preferably specified using
Content Security Policy -- but that's bleeding edge, only in recent drafts
of CSP/HTML5 and not implemented yet.
--
Daira Hopwood ⚥
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130618/b1f9e3f9/attachment.pgp>
More information about the tahoe-dev
mailing list