<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>So, </div><div><br></div><div>excuse my lack of knowledge on XSS and Web Security in General: So it makes no difference if the WUI just has access to the alias names without their uri's and the tahoe process looks them up for you? I still dont understand why, i.e. typing an alias into the "open directory" field on the WUI instead of directly putting it's URI is different, security wise. </div><div><br></div><div>From a usability point of view: Now i have to keep a list of URIs of my directories somewhere to copy&paste them if i want access to them. I can define them in the alias file and "cat aliases" whenever i want access them in the WUI, but then i am at the CLI already and could do my tahoe stuff from there. So in what way do you imagine the average user to have his/her URI's available, carrying around a usb drive with a list on it, which probably should be encrypted itself?</div><div><br></div><div>cheers,</div><div>t.</div><div> </div><div><br></div><br><div><div>On Jun 18, 2013, at 7:46 AM, Tony Arcieri wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">BTW, you might check out oasis.js: capabilities-based sandboxing for the web with polyfills for older browsers:<div><br></div><div><a href="http://oasisjs.com/">http://oasisjs.com/</a><br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Mon, Jun 17, 2013 at 8:15 PM, Tony Arcieri <span dir="ltr"><<a href="mailto:tony.arcieri@gmail.com" target="_blank">tony.arcieri@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="im">On Mon, Jun 17, 2013 at 6:53 PM, Daira Hopwood (formerly David-Sarah) <span dir="ltr"><<a href="mailto:davidsarah@leastauthority.com" target="_blank">davidsarah@leastauthority.com</a>></span> wrote:<br>
</div><div class="gmail_extra"><div class="gmail_quote"><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><span style="color:rgb(34,34,34)">If the aliases list is at a known URL, then any content in the same origin</span><br>
</div>
could access all of the aliases.</blockquote><div><br></div></div><div>Okay, that's a valid concern, thanks. And I hope you can implement <iframe sandbox> soon, browser support permitting</div></div><span class="HOEnZb"><font color="#888888"><div>
<br></div>
-- <br>Tony Arcieri<br>
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Tony Arcieri<br>
</div>
_______________________________________________<br>tahoe-dev mailing list<br><a href="mailto:tahoe-dev@tahoe-lafs.org">tahoe-dev@tahoe-lafs.org</a><br>https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev<br></blockquote></div><br></body></html>