Changes between Initial Version and Version 7 of Ticket #674


Ignore:
Timestamp:
2011-07-25T22:31:53Z (13 years ago)
Author:
zooko
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #674

    • Property Keywords wui confidentiality privacy anti-censorship added
    • Property Component changed from unknown to code-frontend-web
  • Ticket #674 – Description

    initial v7  
    1 Currently the Welcome Page of the WUI is reachable without knowing any secret, for example, this one: http://testgrid.allmydata.org:3567 .   (If you configure your WUI to listen for connections only from localhost then that prevents people from connecting to it from other hosts, but it doesn't prevent CSRF attacks in which someone posts a web page to Tahoe, and when you view that page with JavaScript enabled, or click on a button on that page, then it accesses your WUI.)
     1Currently the Welcome Page of the WUI is reachable without knowing any secret, for example, this one: http://testgrid.allmydata.org:3567 .   (If you configure your WUI to listen for connections only from localhost then that prevents people from connecting to it from other hosts, but it doesn't prevent CSRF attacks in which someone posts a web page to Tahoe, and when you view that page with !JavaScript enabled, or click on a button on that page, then it accesses your WUI.)
    22
    33It would be good to have a page which is access-controlled by use of a secret capability even though it isn't specific to a file or directory.  The entire Welcome Page might belong no that Access Controlled Welcome Page, or maybe only the sensitive pieces would go onto the Access Controlled Welcome Page.