[tahoe-lafs-trac-stream] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?
tahoe-lafs
trac at tahoe-lafs.org
Sat Jul 30 15:55:07 PDT 2011
#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
-------------------------+-------------------------------------------------
Reporter: zooko | Owner: davidsarah
Type: defect | Status: assigned
Priority: | Milestone: soon
critical | Version: 1.3.0
Component: code- | Keywords: newcaps confidentiality integrity
frontend-web | preservation capleak gsoc
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by davidsarah):
Replying to [comment:10 davidsarah]:
> Ooh, this is interesting:
>
> http://www.whatwg.org/specs/web-apps/current-
work/multipage/origin-0.html
>
> > If url identifies a resource that is its own trust domain (e.g. it
identifies an e-mail on an IMAP server or a post on an NNTP server) then
return a globally unique identifier specific to the resource identified by
url, so that if this algorithm is invoked again for URLs that identify the
same resource, the same identifier will be returned.
>
> > If url does not use a server-based naming authority, or if parsing url
failed, or if url is not an absolute URL, then return a new globally
unique identifier.
>
> I don't know whether this is new proposed HTML5 behaviour, or what
browsers currently implement. If the latter, then we could try using an
IMAP or NNTP server for the WUI -- bizarre, but possibly simpler than my
iframe suggestion above, if it works.
Doesn't work, because Firefox 5 doesn't support {{{news:}}} or {{{nntp:}}}
or {{{imap:}}} internally.
--
Ticket URL: <http://tahoe-lafs.org/trac/tahoe-lafs/ticket/615#comment:19>
tahoe-lafs <http://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list