1 | | Currently the Welcome Page of the WUI is reachable without knowing any secret, for example, this one: http://testgrid.allmydata.org:3567 . (If you configure your WUI to listen for connections only from localhost then that prevents people from connecting to it from other hosts, but it doesn't prevent CSRF attacks in which someone posts a web page to Tahoe, and when you view that page with JavaScript enabled, or click on a button on that page, then it accesses your WUI.) |
| 1 | Currently the Welcome Page of the WUI is reachable without knowing any secret, for example, this one: http://testgrid.allmydata.org:3567 . (If you configure your WUI to listen for connections only from localhost then that prevents people from connecting to it from other hosts, but it doesn't prevent CSRF attacks in which someone posts a web page to Tahoe, and when you view that page with !JavaScript enabled, or click on a button on that page, then it accesses your WUI.) |