I was looking at tiddlywiki today, after the nice talk about tiddlysnip
by John and Adam on Wednesday. I noticed that tiddlywiki wants to have
you turn on "run and install software" file privileges in firefox. The
default popup gives this access to all files. If you click "remember
this" setting, then the first XSS hack you hit can probably arrange to
re-run itself from cache getting the privilege to change any file you
have access to and run them.
I googled a bit, and I see one can finese the per-file privileges in the
user.js file. But distributing user.js prefs seems to be unworkable if
you tiddlywiki is going to be a on flash drive. Script signing seems to
be the other alternative.
So I am wondering what you tiddlywiki users are doing for security?
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494
_______________________________________________
bblisa mailing list
[email protected]
http://www.bblisa.org/mailman/listinfo/bblisa
