Open JornWildt opened 5 years ago
kjetilk
commented
5 years ago There might be two things: There is an option to enable strict origins in the config, so you may need to flip that. But it is also true that the origin checking in 4.x is really buggy. It is one of the main things that we fix in 5.0.0, we released a beta of that last night, but it needs some stabilization now.
So, I guess the best answer is to wait a bit. :-)
JornWildt
commented
5 years ago That's fair. But please be aware that not enabling strict origins checking can be a serious privacy issue. See the discussion here https://forum.solidproject.org/t/inter-app-access-control/184/18.
The issue is that you open up for "evil" web-apps that harvest all of your personal data - contacts, private photos and maybe even documents from your doctors, laywers etc.
This is not different from Windows - if I install a desktop application it will usually have access to almost everything. But more moderne systems like iOS and Android requires the apps to ask for permissions before they can access your valuable data.
This is why I think it is important to have strict origin policy checking - but that is also a major usability problem since Solid has no standard protocol for granting apps access.
In my personal opinion this is a rather important issue to address.
kjetilk
commented
5 years ago Yes, I agree, @JornWildt , that is why strict origin is the default in 5.0.0, and we have tightened it a lot. It should be a matter of days now. I'll roll a new beta when #984 has been fixed, and then we should be able to put that up for public testing.
JornWildt
commented
5 years ago May I ask what "strict origin" is actually going to do?
If a new web-app access my /family-photos folder, will it get access or do I have to explicitly grant it access?
If a web-app creates a new folder as a side-effect of storing a new resources, will other web-apps then be able to access that folder and it's content?
Thanks.
kjetilk
commented
5 years ago There is something about it here: https://github.com/solid/web-access-control-spec#referring-to-origins-ie-web-apps
We're also adding a trustedOrigin config parameter, which is an array of origins that will be trusted by default. But this is just a start of the security mechanism for web apps, we need to work on that. So, the answer is "depends", but for the most part, you'd have to explicitly grant access.
JornWildt
commented
5 years ago Sounds as if I need to install my own server in order to explore those features. Thanks.
First a disclaimer - it is very difficult to find any documentation about access control for web-apps, so I am possibly wrong here. But here we go anyway ...
Assuming I have a browser web-app that lets me register my pets. My pets are very valuable to me and I really don't want any other web-apps to snoop into my pet collection even if I am logged in to my POD with some third party web-app.
How do I prohibit other web-apps from accessing my pets? Well, first of all I make sure that access control for my
/petsfolder is "specific" according to the data browser, which seems to be identical to creating a.aclfile for the container. Then what?At https://www.w3.org/wiki/WebAccessControl#Giving_a_specific_resource_access_to_an_Origin the following is suggested:
So I add
acl:origin <https://nothinguseful.org>to verify that no existing app, not even my own pet-app, have access and try to work with the data from the pet-app ... and still have complete access.The ACL file is located at https://elfisk.solid.community/places/hobby/.acl and contains:
The HTTP request sent is:
As you can see, the origin header is
Origin: https://solidrc.azurewebsites.net- which is not matching theacl:originvalue.Is this a bug or me completely misunderstanding it all?