Brainstorm webapi vulnerabilities between the operator and a user and between users.

[nejucomo]

Problem: The webapi interface design seems to presume the node operator and users are mutually trusting. There is some demand for "public" web gateways to content in a LAFS network, where the users and gateway operator do not fully trust each other.

Resolution: This ticket is resolved when the vulnerabilities are enumerated to the operator coming from users, to the users from the operator, and from the users between themselves.

Bonus Points awarded for each of: configuration options which reduce a given vulnerabily's risk; workarounds which do not require code patches (external tools are ok); and outlines of code patches to reduce the vulnerability.

Related Tickets:

• #1663 is for documenting the complete URL tree in a concise table.
• #860 is a user request for a public gateway that does not expose the introducer furl.
• #587 points out that any webapi user may upload content (even without using capabilities).