A security issue for developpers POD

Smag0 · February 22, 2020, 5:28pm

as i developp some tools for Solid, i need to allow http://localhost:port to read / write to my pod, what write into my /profile/card#me to allow that “Trusted app” something like

   n1:mode n1:Append, n1:Read, n1:Write;
            n1:origin <http://127.0.0.1:3000>
        ],
    [ n1:mode n1:Append, n1:Read, n1:Write; n1:origin <http://127.0.0.1> ],
    [ n1:mode n1:Append, n1:Read, n1:Write; n1:origin <http://127.1.0.1> ],
        [
            n1:mode n1:Append, n1:Read, n1:Write;
            n1:origin <http://localhost:3000>
        ],

but my profile is public and can be accessed by everyone, i think, that everyone can make a local app on port 3000 and access what he want on my POD.
Am I right ?

jucole · February 22, 2020, 5:43pm

Not 100% but I thought you have to login as well so they would need to know your login credentials also?

aveltens · February 22, 2020, 9:20pm

@jucole is right. Trusting the app only means that already authorized users are granted access from this origin. If the user does not have access at all, it does not mean that she magically get’s access only because she uses an app from a trusted origin. Authorization is always managed by ACL.

Smag0 · February 22, 2020, 11:00pm

Thxs @jucole & @aveltens, you free a part of my fears

Topic		Replies	Views
Why is ACL:TrustedApp visible for everyone? (on CSS) Solid Specification	4	458	September 1, 2022
What prevent a malicious pod browser (or any app) to sneak/delete/corrupt all my data? Security	5	718	June 6, 2021
Authorisation for a mobile app Build a Solid App	16	1738	December 29, 2020
Preventing POD data from being copied	7	1944	January 29, 2021
Encrypted POD? Is solid designed with this in mind? If not, would it be possible to add? Security	29	8334	April 10, 2024

A security issue for developpers POD

Related topics