Which reminds me: How does the WUI protect against cross-site scripting?
Many systems like it ("browse this file share through your browser") suffer
from XSS sadness. (Have we talked about this before? Sorry if so.)One approach is to serve files from a different origin than the WUI itself, e.g. how Google's cache serves its files from an IP address. (Thus, content written by somebody else does not get served from the http://www.google.com:80 origin --- thankfully). Another approach is to server with content-disposition: attachment, but that is less reliable and potentially annoying ("I actually *did* want to see it inside the browser!"). It was a hack that some people used to get around the "universal PDF XSS" attack a few years back. _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
