[tahoe-lafs-trac-stream] [tahoe-lafs] #615: Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?
tahoe-lafs
trac at tahoe-lafs.org
Thu Mar 29 16:09:30 UTC 2012
#615: Can JavaScript loaded from Tahoe access all your content which is loaded
from Tahoe?
-------------------------+-------------------------------------------------
Reporter: zooko | Owner: davidsarah
Type: defect | Status: assigned
Priority: | Milestone: soon
critical | Version: 1.3.0
Component: code- | Keywords: newcaps confidentiality integrity
frontend-web | preservation capleak gsoc
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by zooko):
All right, what does it take to make progress on this ticket? I have seen
a demo exploit that relies on the user following a link from protected
content to malicious content -- the "back-jacking" attack. A good way to
make progress on this ticket would be to make a system test that exercises
the system through a live browser and demonstrates the attack! That would
be cool. Anybody game to do that?
If not, another good way to make progress on this ticket would be to start
implementing David-Sarah's technique from comment:8. Maybe the first step
on that would be to write a design document specifying exactly what the
comment:8 technique accomplishes? Maybe we should create a new ticket just
for the comment:8 technique and retire this ticket?
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/615#comment:22>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list