[tahoe-lafs-trac-stream] [tahoe-lafs] #821: A script in a file viewed through the WUI can obtain the file's read cap
tahoe-lafs
trac at tahoe-lafs.org
Sat Sep 14 17:39:49 UTC 2013
#821: A script in a file viewed through the WUI can obtain the file's read cap
-------------------------+-------------------------------------------------
Reporter: | Owner: davidsarah
davidsarah | Status: assigned
Type: defect | Milestone: soon
Priority: major | Version: 1.5.0
Component: code- | Keywords: newcaps newurls confidentiality
frontend-web | capleak websec
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Changes (by zooko):
* keywords: newcaps newurls confidentiality capleak => newcaps newurls
confidentiality capleak websec
Old description:
> http://allmydata.org/trac/tahoe/ticket/98#comment:22
>
> A script (such as JavaScript) in an [X]HTML file viewed through the WUI
> can obtain the read cap for that file. For an immutable file, this is not
> much of a problem because the script can read the contents of the file
> anyway. However, for a mutable file, it can also read any future version,
> which is a violation of the Principle of Least Authority.
New description:
http://allmydata.org/trac/tahoe/ticket/98#comment:22
A script (such as JavaScript) in an [X]HTML file viewed through the WUI
can obtain the read cap for that file. For an immutable file, this is not
much of a problem because the script can read the contents of the file
anyway. However, for a mutable file, it can also read any future version,
which is a violation of the Principle of Least Authority.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/821#comment:13>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list