[tahoe-dev] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?
tahoe-lafs
trac at allmydata.org
Sat Nov 7 00:09:56 PST 2009
#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
---------------------------+------------------------------------------------
Reporter: zooko | Type: defect
Status: new | Priority: critical
Milestone: undecided | Component: code-frontend-web
Version: 1.3.0 | Keywords: newcaps security
Launchpad_bug: |
---------------------------+------------------------------------------------
Comment(by davidsarah):
Ooh, this is interesting:
http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html
> If url identifies a resource that is its own trust domain (e.g. it
identifies an e-mail on an IMAP server or a post on an NNTP server) then
return a globally unique identifier specific to the resource identified by
url, so that if this algorithm is invoked again for URLs that identify the
same resource, the same identifier will be returned.
> If url does not use a server-based naming authority, or if parsing url
failed, or if url is not an absolute URL, then return a new globally
unique identifier.
I don't know whether this is new proposed HTML5 behaviour, or what
browsers currently implement. If the latter, then we could try using an
IMAP or NNTP server for the WUI -- bizarre, but possibly simpler than my
iframe suggestion above, if it works.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/615#comment:10>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list