#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
Reporter: warner | Owner:
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 0.7.0
Keywords: security | Launchpad_bug:
-------------------------------+--------------------------------------------
Comment(by davidsarah):
If all of these work, option C seems to be the simplest. Option A requires
an ftp server, which seems like an unwarranted excursion if we can
possibly avoid it. Option B depends on more of the DOM and HTML, hence
greater exposure to browser idiosyncrasies, than option C does.
(The location URL in option C needs to be properly escaped for an URL-in-
JSStringLiteral-in-HTML-in-JSStringLiteral-in-JSStringLiteral-in-HTML, but
that's straightforward :-)
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:17>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
_______________________________________________
tahoe-dev mailing list
[email protected]
http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
