[tahoe-lafs-trac-stream] [tahoe-lafs] #1798: Segregate gateway HTTP ports: one for raw bytes and one for generated WUI pages

[tahoe-lafs]

#1798: Segregate gateway HTTP ports: one for raw bytes and one for generated WUI
pages
----------------------------+----------------------------------------------
     Reporter:  davidsarah  |      Owner:
         Type:  defect      |     Status:  new
     Priority:  major       |  Milestone:  soon
    Component:  code-       |    Version:  1.9.2
  frontend-web              |   Keywords:  wui same-origin security capleak
   Resolution:              |
Launchpad Bug:              |
----------------------------+----------------------------------------------

Old description:

> This is a complementary approach to #1797 and #827 for solving the same-
> origin security problems described in #615.
>
> Note that it has no security benefit on Internet Explorer because IE
> treats all ports on a host as being in the same origin. It does have
> benefit on other browsers.

New description:

 This is a complementary approach to #1797 and #827 for solving the same-
 origin security problems described in #615.

 Note that it has no security benefit on Internet Explorer because IE
 treats all ports on a host as being in the same origin. It does have
 benefit on other browsers.

--

Comment (by freddyb):

 I'd like to take this and separate the ports used for WUI pages and
 downloads.
 I think I've read some parts of the affected code but would need some help
 on one part or another.

 I could also try take a stab at the other referenced tickets, though I
 find this approach the most desirable, as browsers itself (regardless of
 vendor and version) enforce a strict separation between origins.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1798#comment:2>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage