Can JavaScript loaded from Tahoe access all your content which is loaded from Tahoe?

[zooko]

Several web security experts (who will remain unnamed in this ticket since they have yet to show me a working exploit) have said that if have a page containing JavaScript in one window or tab of a web browser, and you have another page in a different window or tab of that browser, that the web browser will inspect the "origin" of the JavaScript and the "origin" of the other page to decide whether the JavaScript will be allowed to read or change parts of the other page (including its URL).

By "origin", these web security experts tell me, web browsers mean "host and port number" (or possibly they look at only the top two elements of the host domain name). Since all pages that are stored on tahoe and that you are viewing in a web browser are coming from the same host (sometimes localhost or 127.0.0.1) and port number, this means any JavaScript that you view through your tahoe node can access all the URLs of all the other pages you have loaded (or possibly have ever loaded since you launched your browser) from Tahoe. (Furthermore, just to make things worse, these web security experts allege that it might be possible for the JavaScript program to stay running in your browser even after you close that tab or window and continue to access your other tabs or windows which were loaded from the same "origin".)

If true, this is bad. Because those other pages, while they are loaded from the same host and portnumber, could actually be from very different origins. One might be a cute game that you want to play that was passed along from a friend of a friend. Another might be your personal finance database with all of your bank account numbers and billing information. We would like it if the web browser would allow you to play the fun game in one window, and edit your personal finance document in another window, without giving the game the ability to read (and therefore to upload) or change your personal document. Even though both pages were loaded from ​http://127.0.0.1:4567 or from ​http://testgrid.allmydata.org:3567 or whatever.

In the long run it might be possible for us to arrange to do this, such as by embedding a unique string, possibly the verifycap or possibly an incrementing string, into the domain name, or by taking advantage of some not-yet-created mechanism to tell web browsers "No, no, these two things are of different origins even though they are loaded from the same host and port.".

In the short run, it might be wise to avoid looking at pages in tahoe if they might have malicious content on them, unless you first turn off JavaScript in your web browser. Hopefully someone will help us understand exactly how dangerous this situation is, by posting a working exploit or some sort of proof that is is safe.