[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header
tahoe-lafs
trac at allmydata.org
Thu Oct 29 13:54:33 PDT 2009
#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
Reporter: warner | Owner:
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 0.7.0
Keywords: security | Launchpad_bug:
-------------------------------+--------------------------------------------
Comment(by davidsarah):
For anyone trying to test option C, the syntax above was wrong; it should
be
{{{
<script>window.location="javascript:window.location='capURL'"</script>
}}}
However, I'm not sure that options B or C work for what we are trying to
do. The problem we're trying to solve is that following a link from the
contents of a Tahoe file may reveal the file's URL ('capURL'). Options B
and C prevent the page at 'capURL' from seeing the referring URL (of the
page containing the JavaScript), but they don't prevent leakage of
'capURL' to a site that the page at 'capURL' links to.
Only option A allows to you prevent sending a Referer header when
following a link from a page with arbitrary contents (by serving that page
via FTP).
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:20>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list