A security issue for developpers POD

Smag0 · February 22, 2020, 5:28pm

as i developp some tools for Solid, i need to allow http://localhost:port to read / write to my pod, what write into my /profile/card#me to allow that “Trusted app” something like

   n1:mode n1:Append, n1:Read, n1:Write;
            n1:origin <http://127.0.0.1:3000>
        ],
    [ n1:mode n1:Append, n1:Read, n1:Write; n1:origin <http://127.0.0.1> ],
    [ n1:mode n1:Append, n1:Read, n1:Write; n1:origin <http://127.1.0.1> ],
        [
            n1:mode n1:Append, n1:Read, n1:Write;
            n1:origin <http://localhost:3000>
        ],

but my profile is public and can be accessed by everyone, i think, that everyone can make a local app on port 3000 and access what he want on my POD.
Am I right ?

jucole · February 22, 2020, 5:43pm

Not 100% but I thought you have to login as well so they would need to know your login credentials also?

aveltens · February 22, 2020, 9:20pm

@jucole is right. Trusting the app only means that already authorized users are granted access from this origin. If the user does not have access at all, it does not mean that she magically get’s access only because she uses an app from a trusted origin. Authorization is always managed by ACL.

Smag0 · February 22, 2020, 11:00pm

Thxs @jucole & @aveltens, you free a part of my fears

Topic		Replies	Views
What prevent a malicious pod browser (or any app) to sneak/delete/corrupt all my data? Security	5	675	June 6, 2021
Preventing POD data from being copied	7	1857	January 29, 2021
Encrypted POD? Is solid designed with this in mind? If not, would it be possible to add? Security	29	7650	April 10, 2024
Basic question about authentication Solid: The Basics	12	5377	November 24, 2018
Possible to granulate which data you give access to?	4	441	January 31, 2023

A security issue for developpers POD

Related Topics