[tahoe-dev] CORS for web API

David-Sarah Hopwood david-sarah at jacaranda.org
Sun Mar 24 20:39:24 UTC 2013


On 24/03/13 18:03, Patrick Logan wrote:
> OK, thanks. This does bring the issues into focus for me.
> 
> I set up a gateway to accept requests from local host then proxied from apache without
> authorization when the request contains a capability, hoping to use a subset of the web
> API as a remote file system from the browser. I can see that generally enabling CORS in
> the gateway like this is not a secure direction.

That's an interesting point that it may be possible to enable CORS for a subset of the
API. I'll have to think about that (but a better long-term direction is to design
accounting so that there are no remaining ambient authority issues, so that CORS can
be enabled for all requests).

-- 
David-Sarah Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20130324/70353307/attachment.pgp>


More information about the tahoe-dev mailing list