[tahoe-dev] Tahoe WUI enhancement suggestion

Greg Troxel gdt at ir.bbn.com
Tue Jun 18 11:31:31 UTC 2013


"Daira Hopwood (formerly David-Sarah)" <davidsarah at leastauthority.com>
writes:

> On 16/06/13 22:31, Till Steinmetz wrote:
>> wouldnt it make sense if it was possible to directly access the
>> aliases defined in basedir/private/aliases from the web gui instead
>> of only being able to access directorys by uri, or did I oversee the
>> option to do this?
>
> It's not easy to make the aliases accessable from the web-UI without
> exposing them to cross-site scripting attacks. We may be able to
> support that by adding a "control panel" that requires authentication
> (and is either served from a different origin to file content or uses
> something like HTML5 sandbox to isolate it from other scripts), but
> that will require a lot of development effort.

I would consider it a major security bug if it were even possible *by
default* for a client node's WUI to have access to aliases.  Currently,
the client node grants access to the introducer furl, more or less, and
statistics/etc., but is otherwise almost black - until one puts in a cap
- whereas alias access makes it red.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130618/d596a8c3/attachment.pgp>


More information about the tahoe-dev mailing list