Karl Dahlke wrote on Mon, Mar 05, 2018: > He writes a web page with javascript that does an xhr request to > zipxd://foo.zip@:@top
I think it's a matter of priority, but now we have javascript working a bit better we might soon find time to make it more restricted somehow. I still think allowing any site to do xhr requests anywhere is not something we will want. I started writing a mail about this ages ago (August last year!) and it is actually still open despite me not having written a word there in at least six months, that shows how often this machines reboots, but joke aside I think we now have enough js that old attacks on firefox would work on edbrowse, so we will need to start worrying about it sooner or later... As you said most of these attacks depend on having millions of users, but you can also see it differently and having one user exposed to a million of attacks and it might work. A classical example is just assuming you have a comcast home router at 192.168.1.1 (or whatever the default address is) and with the default user admin/admin, just do a xhr for http://admin:[email protected]/page where page could open up firewall or change your password or brick the modem - remember I assumed comcast so I can look up these pages. I'm sure that even with just 15 users one of us might be in that configuration! I don't have any easy solution, I started looking up everything firefox does and there is no end, we probably do not need everything, but there is some food for thought. -- Dominique | Asmadeus _______________________________________________ Edbrowse-dev mailing list [email protected] http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
