[tahoe-lafs-trac-stream] [tahoe-lafs] #827: Put file download links ('?save=true') in WUI directory listings
tahoe-lafs
trac at tahoe-lafs.org
Mon Aug 27 18:44:39 UTC 2012
#827: Put file download links ('?save=true') in WUI directory listings
-------------------------+-------------------------------------------------
Reporter: | Owner: davidsarah
davidsarah | Status: assigned
Type: defect | Milestone: 1.11.0
Priority: major | Version: 1.5.0
Component: code- | Keywords: security usability capleak docs
frontend-web | download easy
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by zooko):
Brian suggested a good idea: a separate port for "pure bytes, unmolested
by the LAFS layer -- what you put in is what you get at" and for "content,
such as should be displayed in a web browser". Fetching a resource (e.g.
with a file cap) from the latter port might result in content that wrapped
in a Secure Ecmascript prefix, for example, which attempts to nullify the
ability of Javascript within the content to do bad things once it is
displayed in a browser.
I propose that we have separate ports for at least these uses:
1. Pure no-JS-required WUI/WAPI
2. Pure bytes data port -- you should never ever point a web browser at
this port! Use the web content port instead.
3. Content for display--the content might be manipulated, such as by
prepending a Secure Ecmascript prelude, or other attempts to confine the
content when your browser runs it.
4. New shiny JS-powered WUI/WAPI
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/827#comment:14>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list