Logbot | #sandstorm | kentonv> specifically, we applied the whitelist filter at proxy.js but not again in sandstorm-http-bridge, which means that if a malicious party is able to call the app's WebSession API directly (something we intend to allow eventually), they can inject arbitrary headers, which among other things would allow them to spoof user authentication.

specifically, we applied the whitelist filter at proxy.js but not again in sandstorm-http-bridge, which means that if a malicious party is able to call the app's WebSession API directly (something we intend to allow eventually), they can inject arbitrary headers, which among other things would allow them to spoof user authentication.

kentonv 06:15:32