epriestley 549146bc7c Move ALL files to serve from the alternate file domain, not just files without ... "Content-Disposition: attachment" Summary: We currently serve some files off the primary domain (with "Content-Disposition: attachment" + a CSRF check) and some files off the alternate domain (without either). This is not sufficient, because some UAs (like the iPad) ignore "Content-Disposition: attachment". So there's an attack that goes like this: - Alice uploads xss.html - Alice says to Bob "hey download this file on your iPad" - Bob clicks "Download" on Phabricator on his iPad, gets XSS'd. NOTE: This removes the CSRF check for downloading files. The check is nice to have but only raises the barrier to entry slightly. Between iPad / sniffing / flash bytecode attacks, single-domain installs are simply insecure. We could restore the check at some point in conjunction with a derived authentication cookie (i.e., a mini-session-token which is only useful for downloading files), but that's a lot of complexity to drop all at once. (Because files are now authenticated only by knowing the PHID and secret key, this also fixes the "no profile pictures in public feed while logged out" issue.) Test Plan: Viewed, info'd, and downloaded files Reviewers: btrahan, arice, alok Reviewed By: arice CC: aran, epriestley Maniphest Tasks: T843 Differential Revision: https://secure.phabricator.com/D1608		2012-02-14 14:52:27 -08:00
..
base	Phabricator file upload application.	2011-01-23 14:04:07 -08:00
file	Move ALL files to serve from the alternate file domain, not just files without	2012-02-14 14:52:27 -08:00
imagemacro	Image macros for Phabricator!	2011-04-13 20:08:13 -07:00
proxyimage	Restore image proxying to Remarkup	2011-05-03 18:49:06 -07:00
storageblob	Allow Phabricator storage engines to be extended and configured	2011-07-21 16:44:24 -07:00
transformed	Basic image thumbnailing	2011-05-27 09:33:33 -07:00