Opened at 2012-08-27T19:08:19Z

Last modified at 2013-12-15T15:18:32Z

#1798 new defect

Segregate gateway HTTP ports: one for raw bytes and one for generated WUI pages — at Version 2

Reported by: davidsarah Owned by:
Priority: major Milestone: soon
Component: code-frontend-web Version: 1.9.2
Keywords: wui same-origin security capleak Cc: freddyb
Launchpad Bug:

Description (last modified by freddyb)

This is a complementary approach to #1797 and #827 for solving the same-origin security problems described in #615.

Note that it has no security benefit on Internet Explorer because IE treats all ports on a host as being in the same origin. It does have benefit on other browsers.

Change History (2)

comment:1 Changed at 2012-08-28T17:08:31Z by davidsarah

  • Keywords capleak added

comment:2 Changed at 2013-12-02T15:26:04Z by freddyb

  • Description modified (diff)

I'd like to take this and separate the ports used for WUI pages and downloads. I think I've read some parts of the affected code but would need some help on one part or another.

I could also try take a stab at the other referenced tickets, though I find this approach the most desirable, as browsers itself (regardless of vendor and version) enforce a strict separation between origins.

Note: See TracTickets for help on using tickets.