A security issue for developpers POD


#1

as i developp some tools for Solid, i need to allow http://localhost:port to read / write to my pod, what write into my /profile/card#me to allow that “Trusted app” something like

   n1:mode n1:Append, n1:Read, n1:Write;
            n1:origin <http://127.0.0.1:3000>
        ],
    [ n1:mode n1:Append, n1:Read, n1:Write; n1:origin <http://127.0.0.1> ],
    [ n1:mode n1:Append, n1:Read, n1:Write; n1:origin <http://127.1.0.1> ],
        [
            n1:mode n1:Append, n1:Read, n1:Write;
            n1:origin <http://localhost:3000>
        ],

but my profile is public and can be accessed by everyone, i think, that everyone can make a local app on port 3000 and access what he want on my POD.
Am I right ?


#2

Not 100% but I thought you have to login as well so they would need to know your login credentials also?


#3

@jucole is right. Trusting the app only means that already authorized users are granted access from this origin. If the user does not have access at all, it does not mean that she magically get’s access only because she uses an app from a trusted origin. Authorization is always managed by ACL.


#4

Thxs @jucole & @aveltens, you free a part of my fears :blush::+1: