Opened at 2009-10-28T04:03:18Z
Last modified at 2013-09-14T17:39:49Z
#821 assigned defect
A script in a file viewed through the WUI can obtain the file's read cap — at Initial Version
| Reported by: | davidsarah | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | soon |
| Component: | code-frontend-web | Version: | 1.5.0 |
| Keywords: | newcaps newurls confidentiality capleak websec | Cc: | |
| Launchpad Bug: |
Description
http://allmydata.org/trac/tahoe/ticket/98#comment:22
A script (such as JavaScript) in an [X]HTML file viewed through the WUI can obtain the read cap for that file. For an immutable file, this is not much of a problem because the script can read the contents of the file anyway. However, for a mutable file, it can also read any future version, which is a violation of the Principle of Least Authority.
Note: See
TracTickets for help on using
tickets.
