:( make sure test wasn't false not false positive :( for @go1dfish

package.json

@@ -1,6 +1,6 @@
 {
   "name": "gun",
-  "version": "0.2019.514",
+  "version": "0.2019.515",
   "description": "A realtime, decentralized, offline-first, graph data synchronization engine.",
   "main": "index.js",
   "browser": "gun.js",

sea.js

@@ -1113,10 +1113,6 @@
       }
       var ctx = this.as;
       (msg._||(msg._=function(){})).user = ctx.user;
-      if(ctx.opt.faith && msg._.faith){ // you probably shouldn't have faith in this!
-        this.to.next(msg);
-        return;
-      }
       security.call(this, msg);
     }
 
@@ -1125,6 +1121,10 @@
     // This is broken down into some pretty clear edge cases, let's go over them:
     function security(msg){
       var at = this.as, sea = at.sea, to = this.to;
+      if(at.opt.faith && (msg._||noop).faith){ // you probably shouldn't have faith in this!
+        this.to.next(msg); // why do we allow skipping security? I'm very scared about it actually.
+        return; // but so that way storage adapters that already verified something can get performance boost. This was a community requested feature. If anybody finds an exploit with it, please report immediately. It should only be exploitable if you have XSS control anyways, which if you do, you can bypass security regardless of this.
+      }
       if(msg.get){
         // if there is a request to read data from us, then...
         var soul = msg.get['#'];

sea/index.js

@@ -55,10 +55,6 @@
       }
       var ctx = this.as;
       (msg._||(msg._=function(){})).user = ctx.user;
-      if(ctx.opt.faith && msg._.faith){ // you probably shouldn't have faith in this!
-        this.to.next(msg);
-        return;
-      }
       security.call(this, msg);
     }
 
@@ -67,6 +63,10 @@
     // This is broken down into some pretty clear edge cases, let's go over them:
     function security(msg){
       var at = this.as, sea = at.sea, to = this.to;
+      if(at.opt.faith && (msg._||noop).faith){ // you probably shouldn't have faith in this!
+        this.to.next(msg); // why do we allow skipping security? I'm very scared about it actually.
+        return; // but so that way storage adapters that already verified something can get performance boost. This was a community requested feature. If anybody finds an exploit with it, please report immediately. It should only be exploitable if you have XSS control anyways, which if you do, you can bypass security regardless of this.
+      }
       if(msg.get){
         // if there is a request to read data from us, then...
         var soul = msg.get['#'];

test/tmp/tmp.html

@@ -18,8 +18,9 @@
 var db = Gun({faith: true});
 
 setTimeout(function(){
-	console.log(db.get(window.SOUL)._.put);
-	return;
+	//return;
+	//console.log(db.get(window.SOUL)._.put);
+	//return;
 	db.get(window.SOUL).once(function(data){
 		console.log('oye!', data);
 	})
@@ -27,8 +28,8 @@ setTimeout(function(){
 
 function test(result, dedupId){ setTimeout(function(){
 	if (result) {
-		var foo = function(){}; foo.faith = true;
-	  db.on('in').to.next({
+		var foo = function(){}; foo.faith = false;
+	  db.on('in', {
 	    '@': dedupId,
 	    from: 'local',
 	    put: { [Gun.node.soul(result)]: result },
@@ -44,7 +45,7 @@ test(window.foo = {"_":{"#": window.SOUL = "nab/things/1d0f60a50f65b95dd91036836
 	"author":"{\":\":\"go1dfish\",\"~\":\"ovwCbuQeYp5rRABi9bTNKcEeeFXEiozWG28aRCl+MjOMNeqOxDEKIsnsgYgJmmSXvNhe/MpuL3376nL0vTN6qA==\"}",
 	"authorId":"{\":\":\"JG43ynRxqjy1-AemyMUoz14UqKM6cnh7zSPy_EAPgts.RCZ5dY7iRaIW_B7cDBlBsDNKwn2QCtbbA1uQ6iL8ENw\",\"~\":\"ekhiqU7UP1M8nHxBFv8QItNBIstP6zuQBtutk6sqMBNaN/2U9BAjb7Vjsogj23kphEMHeCSgO7AqaOE3cOZiyg==\"}",
 	"timestamp":"{\":\":1557772735666,\"~\":\"Z2AiDehqJKrbRlXXUllkwWjOEn5//HnjjTMdgNz2j8K/Bw5XPK1g0huVQsfWdKOKfr9XU7Y5sY2N526V13O4XA==\"}","kind":"{\":\":\"submission\",\"~\":\"KwjYOjPnpZH85VVOHZAxLm2Ntd/0p3o74sLEGtTf7grBCKb0pzDo7yERjWIaTEiQJ2IFEtu43V/vzhZMTvuvUQ==\"}"})
-db.get(window.SOUL);
+//db.get(window.SOUL);
 </script>
 </body>
 </html>