[tahoe-lafs-trac-stream] [Tahoe-LAFS] #1942: replace google chart in wui with d3.js: it leaks information
Tahoe-LAFS
trac at tahoe-lafs.org
Tue Aug 30 01:33:39 UTC 2016
#1942: replace google chart in wui with d3.js: it leaks information
-------------------------+-------------------------------------------------
Reporter: leif | Owner: nobody
Type: task | Status: new
Priority: normal | Milestone: 1.12.0
Component: code- | Version: 1.9.2
frontend-web | Keywords: anonymity privacy security websec
Resolution: | tor-protocol i2p
Launchpad Bug: |
-------------------------+-------------------------------------------------
Changes (by warner):
* milestone: soon => 1.12.0
Comment:
I'm provisionally moving this into the 1.12 milestone, in case we want to
make a push for #1010 {{{anonymous = true}}}, which I think would depend
upon making this fix.
If so, I think it'd be acceptable to change the WUI to not serve that IMG
tag when we're in anonymous mode. That'd be a bit quicker of a fix than
properly re-implementing the chart.
We might not treat 1.12 as the "client-side Tor enabled" release, in which
case we can push this out a bit further.
Note that if you're using a non-Tor-ified browser to view files coming out
of your Tahoe client, then those files could use their own image tags to
leak your IP address. Not a reason to not fix this, but something to
remain aware of.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942#comment:17>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list