[tahoe-dev] File types and encodings
Chris Palmer
chris at noncombatant.org
Tue Mar 9 13:35:22 PST 2010
Which reminds me: How does the WUI protect against cross-site scripting?
Many systems like it ("browse this file share through your browser") suffer
from XSS sadness. (Have we talked about this before? Sorry if so.)
One approach is to serve files from a different origin than the WUI itself,
e.g. how Google's cache serves its files from an IP address. (Thus, content
written by somebody else does not get served from the
http://www.google.com:80 origin --- thankfully).
Another approach is to server with content-disposition: attachment, but that
is less reliable and potentially annoying ("I actually *did* want to see it
inside the browser!"). It was a hack that some people used to get around the
"universal PDF XSS" attack a few years back.
More information about the tahoe-dev
mailing list