[tahoe-lafs-trac-stream] [tahoe-lafs] #1215: add CORS support
tahoe-lafs
trac at tahoe-lafs.org
Wed Nov 16 17:27:29 UTC 2011
#1215: add CORS support
-----------------------------------+---------------------------
Reporter: warner | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.8.0
Resolution: | Keywords: security http
Launchpad Bug: |
-----------------------------------+---------------------------
Comment (by warner):
http://www.w3.org/community/unhosted/wiki/RemoteStorage makes this even
more important to implement (it mentions Tahoe as a backend, and cites
CORS as the enabler).
I'm not so worried about ambient storage authority: we expose that already
(form POST to {{{/uri?t=upload}}}), and we know it needs to be resolved,
probably by passing a storage-cap along with the write-cap, which probably
means a JS frontend and a bunch of UI rethinking to figure out how to
share write-authority and storage-authority separately (or maybe
together).
And I guess I'm not fond of arguments like "somebody might be depending
upon this, so we can't change it", which are impossible to argue against
(maybe our userbase is still small enough that we can actually ask all of
them whether they're depending upon this particular thing, or we could
raise the issue on the mailing list and give folks a month to speak up,
and then change it). It's the sort of argument which created the flawed
same-origin policy in the first place, such that CORS had to be developed
to undo the damage.
Also, #587 is a serious science and engineering effort: we have to define
Accounting, make it work, define a whole bunch of new webapi authorities,
make *them* work, change the webui to use them, change the CLI commands to
use them, then finally we can remove the ambient upload interface. Good
stuff to have, but it's not going to happen within the next six months,
probably longer.
In contrast, adding CORS support is easy and quick, and would immediately
enable a large class of applications. It'd also reinforce our message of
not relying on same-origin restrictions: we know the sort of obj-cap world
we want to live in, where power is exercised by holding sharable
references instead of by coming from magical domains.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1215#comment:4>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list