[tahoe-lafs-trac-stream] [tahoe-lafs] #827: Put file download links ('?save=true') in WUI directory listings

tahoe-lafs trac at tahoe-lafs.org
Mon Aug 27 18:44:39 UTC 2012


#827: Put file download links ('?save=true') in WUI directory listings
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  davidsarah
  davidsarah             |     Status:  assigned
         Type:  defect   |  Milestone:  1.11.0
     Priority:  major    |    Version:  1.5.0
    Component:  code-    |   Keywords:  security usability capleak docs
  frontend-web           |  download easy
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Comment (by zooko):

 Brian suggested a good idea: a separate port for "pure bytes, unmolested
 by the LAFS layer -- what you put in is what you get at" and for "content,
 such as should be displayed in a web browser". Fetching a resource (e.g.
 with a file cap) from the latter port might result in content that wrapped
 in a Secure Ecmascript prefix, for example, which attempts to nullify the
 ability of Javascript within the content to do bad things once it is
 displayed in a browser.

 I propose that we have separate ports for at least these uses:

 1. Pure no-JS-required WUI/WAPI
 2. Pure bytes data port -- you should never ever point a web browser at
 this port! Use the web content port instead.
 3. Content for display--the content might be manipulated, such as by
 prepending a Secure Ecmascript prelude, or other attempts to confine the
 content when your browser runs it.
 4. New shiny JS-powered WUI/WAPI

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/827#comment:14>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage


More information about the tahoe-lafs-trac-stream mailing list