If you may notice, on the latest release there's a
Warning on the web server that is displayed only if you are surfing the Qora web with your wallet unlocked.
I think it's always good to be safe, but this might not be necessary. Since pages are hosted on a different port, and if the Java server is configured properly, API commands can/should return an error if the requests both come from the browser AND the originating page isn't the same domain/port.
See here:
http://www.codingpedia.org/ama/how-to-add-cors-support-on-the-server-side-in-java-with-jersey/EDITIn other words (sorry, lazy and I can't recall the real ports) If you load Qora websites from
http://127.0.0.1:8100/ and the RPC runs from
http://127.0.0.1:8101/, then a properly configured web server for the API will know that when a page from 127.0.0.1:8100 makes a cross-site request to 127.0.0.1:8101, that it should ignore the request and return an error.
Of course, this doesn't mean that you can't call the RPC. This is browser-level security. So long as the user's browser isn't compromised, this isn't an issue but, of course, if the browser is compromised, the attacker probably has access to your PC and if they are interested in your money, that can steal your wallet/privkey, as probably any other cryptos you may hold.
