[tahoe-lafs-trac-stream] [tahoe-lafs] #1215: add CORS support
tahoe-lafs
trac at tahoe-lafs.org
Thu Nov 17 06:21:56 UTC 2011
#1215: add CORS support
-----------------------------------+---------------------------
Reporter: warner | Owner:
Type: enhancement | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 1.8.0
Resolution: | Keywords: security http
Launchpad Bug: |
-----------------------------------+---------------------------
Comment (by zooko):
Replying to [comment:6 davidsarah]:
>
> > However, what vulnerability would turning on Access-Control-Allow-
Origin: * open up?
>
> An XHR request is indistinguishable to the gateway from any other
request, so the consequence is that an attacker who can run any script in
the user's browser -- not only scripts loaded from the gateway's origin --
can do anything that the user can do with that gateway. (Because the
gateway does not support "preflight" checks, this is limited to GETs and
to POSTs of MIME types {{{application/x-www-form-urlencoded}}},
{{{multipart/form-data}}}, and {{{text/plain}}}, but that's not much of a
restriction in our case.)
Okay, thanks for the explanation. Am I right, in comment:5, that giving an
attacker this power would not enable the attacker to perform the "steal
your storage for my temporary file-sharing" use case?
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1215#comment:7>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list