Markus Unterwaditzer

> Based on @untitaker's last comment I guess we have a working CSRF attack now? It's not that easy. Yes, you can point people's apps to arbitrary storages, but in...

@skddc François does have a point. The fact that remoteStorage.js allows sending people to arbitrary storages is both a usability feature and a _potential_ security issue, as mentioned in the...

It could even prompt whether the user is fine with that. It probably should try a sync with the old credentials and data to avoid data loss.

I wonder whether the token and remotestorage "fragment-query args" should be mutually exclusive. - If `token` is there, it's an OAuth flow - If `remotestorage` is there, it's storage-first auth...

I'm not sure if there's actually any value to that though. Malicious servers may still just auto-approve instead of showing an OAuth dialog, and you'd have the same user experience...

@fkooman Sure they can. You send the user to the OAuth server with the state parameter, and the _malicious_ OAuth server sends the client to the redirect URI, with the...

Storage-first auth flow is in the spec, so just implementing a state param is not sufficient. It seems the correct approach is: - If `token` param is given: - Require...

:+1: I currently get bitten by this. Concretely I want to store a file with `If-None-Match` or `If-Match` conditions. This itself is not possible AFAIK, but there is no way...

> That's handled automatically by this library. How is this possible? If I load a file, parse it and put it into my datamodel, then sometime later modify the datamodel...

> IIRC, the problem with this is that in our IndexedDB database, the metadata is stored on the item, not on the containing folder node. So if you do getListing...