> should be placed in HTTP headers, which is what the calibre server > And note that putting passwords into URLs is highly insecure. > the calibre server work fine in that way. > Umm if you want to use the calibre server within marvin use the /opds > On Oct 23, 2017, at 10:35 PM, Kovid Goyal wrote: If you just won't fix it, then I'll accept that. That was the reason for the request, not ignorance, so I'd ask you to please reconsider. The whole point was to get Calibre's WEB functionality in Marvin, since it is more user friendly and has features not available in the opds server.Ĭalibre's immediate history.pushstate makes its web functionality INCOMPATIBLE with Marvin when a password was required, so that's why we were requesting a fix. Not trying to use this method to get opds access. Aware of the security issue, but as I said, Marvin lacks the ability to pass the credentials any other way for non-opds access. Aware of OPDS functionality with Marvin, but the Web server in Calibre has functionality that opds lacks, such as selecting virtual libraries, and its overall appearance is much more friendly and easy to use for non-technical family members compared to opds.Ģ. I see you set the status to wontfix, and if that's your final decision, fine.ġ. This step could simply be skipped on the first user click when the library is selected, because then the URL will change to one without the password and future history.pushstate actions will not thrown an error. You can replicate this error in Marvin or Firefox using the above URL scheme.Ĭalibre should detect when the username/password are passed via the URL, and NOT do a history.pushstate when the password is in the URL. This logs the user into Calibre, and the user is presented the choice of Calibre library.Īs soon as the user clicks the button, a javascript error is thrown showing that history.pushstate is an insecure operation and does not allow passwords to be saved in the history.
server: 8080 (assuming Calibre is running on port 8080) For those clients, the credentials must be passed in the URL, in the form: However, some clients like Marvin (classic) do not have the ability to display the credentials dialog. When accessing the Calibre server via HTTP with "Require username and password" enabled, Calibre should prompt the user for credentials.
0 kommentar(er)
