[tahoe-lafs-trac-stream] [tahoe-lafs] #1455: WUI: ambiently accessible pages should framebust in order to prevent UI redressing attacks
tahoe-lafs
trac at tahoe-lafs.org
Sat Nov 30 15:25:19 UTC 2013
#1455: WUI: ambiently accessible pages should framebust in order to prevent UI
redressing attacks
-----------------------------+---------------------------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: minor | Milestone: undecided
Component: code- | Version: 1.8.2
frontend-web | Keywords: security ambient wui redressing
Resolution: |
Launchpad Bug: |
-----------------------------+---------------------------------------------
Comment (by ChosenOne):
OK, it seems easy enough to do this for uri/ and file/ resources by
patching !FileHandler and URIHandler classes in root.py. See
[https://github.com/freddyb/tahoe-
lafs/commit/c73f46675e57c30c957fe87e0d87504051bac5e0 this commit] on my
feature branch
I have yet to figure out how to do this for things like /statistics,
/status, etc. It seems undesirable to re-implement this for every subpage
in its own file in src/web/. This would mean that every new subresource
would have to remember doing this again to ensure that no URL is left
behind ;)
Wouldn't it make sense to build a tiny abstraction layer on top of nevow's
`rend.Page` that ensures proper response headers and is to be used in all
files? This would still require changes in all files, but these could be
less careful, as we just replace `rend.Page` references.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1455#comment:4>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list