Segregate gateway HTTP ports: one for raw bytes and one for generated WUI pages

[davidsarah]

This is a complementary approach to #1797 and #827 for solving the same-origin security problems described in #615.

Note that it has no security benefit on Internet Explorer because IE treats all ports on a host as being in the same origin. It does have benefit on other browsers.

[freddyb]

I'd like to take this and separate the ports used for WUI pages and downloads. I think I've read some parts of the affected code but would need some help on one part or another.

I could also try take a stab at the other referenced tickets, though I find this approach the most desirable, as browsers itself (regardless of vendor and version) enforce a strict separation between origins.

[zooko]

Sweet! Thanks, freddyb!

I'm not sure if it is also worth making separate ports for downloads (the result of a GET from /named/) (see also #1903) from view/display (the result of a /uri/).

[freddyb]

I'm not sure I fully understand. Do you mean three ports? WUI, Download and display? Why should download and display be separated?

I thought about one port for download&display and one port for WUI and I realize that this might be much more work than anticipated, considering that I didn't think about the cli, which might need updating too.

I think it could be useful to redirect (http 301 moved permantently) GET requests for files that accidentally go to the WUI port. This could benefit compatibility and help identifying code points that don't use the new port.

[daira]

Zooko, I don't see any security motivation for doing that. Both downloads and views are serving untrusted content, and the distinction between download and view is context-dependent (for example, an <img> tag always displays its referent regardless of Content-Disposition).