On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: > Le samedi 14 novembre 2009 à 20:36 -0500, Michael Gilbert a écrit : > > The following CVE (Common Vulnerabilities & Exposures) id was > > published. > > > > CVE-2007-1084[0]: > > | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before > > | saving bookmarklets, which allows remote attackers to bypass the > > | same-domain policy by tricking a user into saving a bookmarklet with a > > | data: scheme, which is executed in the context of the last visited web > > | page. > > > > If you fix the vulnerability please also make sure to include the > > CVE id in your changelog entry. > > What’s a bookmarklet? I don’t even know whether epiphany supports this.
It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. To alleviate the broken-by-design part, the CVE says the browser should ask for confirmation, like everybody reads alerts and make informed decisions. Haha. Mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
