#1798 new defect

Segregate gateway HTTP ports: one for raw bytes and one for generated WUI pages

Reported by: davidsarah Owned by: freddyb
Priority: major Milestone: soon
Component: code-frontend-web Version: 1.9.2
Keywords: wui same-origin security capleak Cc: freddyb
Launchpad Bug:

Description (last modified by freddyb)

This is a complementary approach to #1797 and #827 for solving the same-origin security problems described in #615.

Note that it has no security benefit on Internet Explorer because IE treats all ports on a host as being in the same origin. It does have benefit on other browsers.

Change History (5)

comment:1 Changed at 2012-08-28T17:08:31Z by davidsarah

  • Keywords capleak added

comment:2 Changed at 2013-12-02T15:26:04Z by freddyb

  • Description modified (diff)

I'd like to take this and separate the ports used for WUI pages and downloads. I think I've read some parts of the affected code but would need some help on one part or another.

I could also try take a stab at the other referenced tickets, though I find this approach the most desirable, as browsers itself (regardless of vendor and version) enforce a strict separation between origins.

comment:3 Changed at 2013-12-02T17:58:54Z by zooko

  • Owner set to freddyb

Sweet! Thanks, freddyb!

I'm not sure if it is also worth making separate ports for downloads (the result of a GET from /named/) (see also #1903) from view/display (the result of a /uri/).

comment:4 Changed at 2013-12-15T11:52:11Z by freddyb

I'm not sure I fully understand. Do you mean three ports? WUI, Download and display? Why should download and display be separated?

I thought about one port for download&display and one port for WUI and I realize that this might be much more work than anticipated, considering that I didn't think about the cli, which might need updating too.

I think it could be useful to redirect (http 301 moved permantently) GET requests for files that accidentally go to the WUI port. This could benefit compatibility and help identifying code points that don't use the new port.

comment:5 Changed at 2013-12-15T15:18:32Z by daira

Zooko, I don't see any security motivation for doing that. Both downloads and views are serving untrusted content, and the distinction between download and view is context-dependent (for example, an <img> tag always displays its referent regardless of Content-Disposition).

Note: See TracTickets for help on using tickets.