[tahoe-lafs-trac-stream] [tahoe-lafs] #1942: google chart in wui leaks information
tahoe-lafs
trac at tahoe-lafs.org
Thu Apr 11 21:07:01 UTC 2013
#1942: google chart in wui leaks information
-------------------------+-------------------------------------------------
Reporter: leif | Owner: daira
Type: defect | Status: assigned
Priority: normal | Milestone: 1.10.0
Component: code- | Version: 1.9.2
frontend-web | Keywords: anonymity privacy integrity
Resolution: | confidentiality security capleak
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by warner):
Oh, wait, I remember thinking about this. No, the chart that is loaded is
an IMG tag (and google generally returns a PNG). Everything Leif said is
correct, but it does *not* give google access to the rest of the origin
(if it were including JS or CSS or something active, it would, but a plain
IMG tag won't load anything active). I briefly had code to generate a PNG
in the tahoe client itself, but that added a dependency on the PIL library
which seemed a bit big.
I think d3.js is the right way to go: it doesn't make the python-side code
any bigger, the JS library is already in our tree, and I'm ok with not
giving timelines to folks who have JS turned off.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942#comment:5>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list