From 1bf0515484743c0c13e38ab2dd843bf85368da56 Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@allmydata.com>
Date: Wed, 11 Feb 2009 14:14:53 -0700
Subject: [PATCH] docs/known_issues: mention #615 javascript-vs-frames, for
 zooko to improve/rewrite

---
 docs/known_issues.txt | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/known_issues.txt b/docs/known_issues.txt
index 59178239..d4287956 100644
--- a/docs/known_issues.txt
+++ b/docs/known_issues.txt
@@ -10,6 +10,26 @@ Tahoe-LAFS can be found at
 
 http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt
 
+== issues in Tahoe v1.3.0, not yet released ==
+
+=== unauthorized access by JavaScript in other tabs/frames ===
+
+If you use a web browser to view a javascript-bearing HTML document that is
+served from a Tahoe node, then that javascript program can learn the access
+caps for any other file or directory, served by the same Tahoe node, that you
+are currently viewing in other tabs or frames. This is a consequence of the
+common "Same Origin Policy" as applied to javascript and inter-frame access,
+in which the browser mistakenly believes that two documents retrieved from
+the same server should have access to each others DOM state. Note that some
+browsers are quite enthusiastic about interpreting <script> tags inside
+viewed files, even ones not marked as HTML.
+
+The current recommended workaround is to close all Tahoe-served tabs and
+frames before opening a Tahoe-served javascript-bearing HTML file.
+
+Please see ticket #615 for more details:
+http://allmydata.org/trac/tahoe/ticket/615
+
 == issues in Tahoe v1.2.0, released 2008-06-21 ==
 
 === issue 1: potential disclosure of a file through embedded
-- 
2.45.2