[tahoe-lafs-trac-stream] [tahoe-lafs] #1215: add CORS support

tahoe-lafs trac at tahoe-lafs.org
Sat Sep 14 17:40:22 UTC 2013 

#1215: add CORS support
-------------------------+-------------------------------------------------
     Reporter:  warner   |      Owner:
         Type:           |     Status:  new
  enhancement            |  Milestone:  undecided
     Priority:  major    |    Version:  1.8.0
    Component:  code-    |   Keywords:  security http same-origin cors
  frontend-web           |  websec
   Resolution:           |
Launchpad Bug:           |
-------------------------+-------------------------------------------------
Changes (by zooko):

 * keywords:  security http same-origin cors => security http same-origin
     cors websec


Old description:

> If the webapi client emitted a header like this on every page:
>
> {{{
> Access-Control-Allow-Origin: *
> }}}
>
> Then, in sufficiently-modern browsers, web pages pulled from arbitrary
> third-party sites would be able to perform XHR to the Tahoe webapi server
> without interference by the regrettable "same-origin policy".
>
> Clients who want to use this (i.e. web pages from third parties) must do
> a slightly different form of XHR than usual: I'm looking at
> [http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-
> origin-resource-sharing/ this] and [http://softwareas.com/cors-scraping-
> and-microformats this] for details.
>
> One quirk to keep in mind is that clients (i.e. those third parties) can
> set a flag on their XHR calls to cause the browser to include any cookies
> that the tahoe webapi might have set. We all know to not use cookies for
> authorization, but once we enable CORS, we should make extra sure to not
> add any code which accepts authority information from cookies.

New description:

 If the webapi client emitted a header like this on every page:

 {{{
 Access-Control-Allow-Origin: *
 }}}

 Then, in sufficiently-modern browsers, web pages pulled from arbitrary
 third-party sites would be able to perform XHR to the Tahoe webapi server
 without interference by the regrettable "same-origin policy".

 Clients who want to use this (i.e. web pages from third parties) must do a
 slightly different form of XHR than usual: I'm looking at
 [http://www.nczonline.net/blog/2010/05/25/cross-domain-ajax-with-cross-
 origin-resource-sharing/ this] and [http://softwareas.com/cors-scraping-
 and-microformats this] for details.

 One quirk to keep in mind is that clients (i.e. those third parties) can
 set a flag on their XHR calls to cause the browser to include any cookies
 that the tahoe webapi might have set. We all know to not use cookies for
 authorization, but once we enable CORS, we should make extra sure to not
 add any code which accepts authority information from cookies.

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1215#comment:14>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list