[tahoe-lafs-trac-stream] [tahoe-lafs] #1215: add CORS support
tahoe-lafs
trac at tahoe-lafs.org
Wed Nov 16 23:25:50 UTC 2011
#1215: add CORS support
-----------------------------------+---------------------------
Reporter: warner | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.8.0
Resolution: | Keywords: security http
Launchpad Bug: |
-----------------------------------+---------------------------
Comment (by davidsarah):
I strongly disagree with comment:4 and comment:5. We advocate setting the
web port to listen only for connections from localhost, precisely in order
to mitigate the ambient authority problems with the current WUI. It's the
documented way to avoid such problems, and we shouldn't make it break,
introducing new and unnecessary security vulnerabilities, until we have
fixed them.
> However, what vulnerability would turning on Access-Control-Allow-
Origin: * open up?
An XHR request is indistinguishable to the gateway from any other request,
so the consequence is that an attacker who can run any script in the
user's browser -- not only scripts loaded from the gateway's origin -- can
do anything that the user can do with that gateway. (Because the gateway
does not support "preflight" checks, this is limited to GETs and to POSTs
of MIME types {{{application/x-www-form-urlencoded}}}, {{{multipart/form-
data}}}, and {{{text/plain}}}, but that's not much of a restriction in our
case.)
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1215#comment:6>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list