From: Brian Warner Date: Wed, 11 Feb 2009 21:14:53 +0000 (-0700) Subject: docs/known_issues: mention #615 javascript-vs-frames, for zooko to improve/rewrite X-Git-Tag: allmydata-tahoe-1.3.0~37 X-Git-Url: https://git.rkrishnan.org/pf/content/simplejson/decoder.py.html?a=commitdiff_plain;h=1bf0515484743c0c13e38ab2dd843bf85368da56;p=tahoe-lafs%2Ftahoe-lafs.git docs/known_issues: mention #615 javascript-vs-frames, for zooko to improve/rewrite --- diff --git a/docs/known_issues.txt b/docs/known_issues.txt index 59178239..d4287956 100644 --- a/docs/known_issues.txt +++ b/docs/known_issues.txt @@ -10,6 +10,26 @@ Tahoe-LAFS can be found at http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt +== issues in Tahoe v1.3.0, not yet released == + +=== unauthorized access by JavaScript in other tabs/frames === + +If you use a web browser to view a javascript-bearing HTML document that is +served from a Tahoe node, then that javascript program can learn the access +caps for any other file or directory, served by the same Tahoe node, that you +are currently viewing in other tabs or frames. This is a consequence of the +common "Same Origin Policy" as applied to javascript and inter-frame access, +in which the browser mistakenly believes that two documents retrieved from +the same server should have access to each others DOM state. Note that some +browsers are quite enthusiastic about interpreting