On Feb 23, 10:26 pm, Pedro Simonetti Garcia <[email protected]>
wrote:
> Hi Eric,
>
> Taking YSlow as an example, I suppose it would be good as a starting
> point to define the "security rules" your extension will be looking for,
> like "don't use window.eval()" etc.
And this could be very difficult since someone like myself will object
that there is nothing about window.eval() that is the least bit
insecure!
window.eval() is exactly as secure as "<script>" tags or
"document.write()" or "new Function()". These all compile and run
Javascript code. Since the code that calls window.eval() is also
Javascript, window.eval() is not intrinsically insecure.
Web pages ('content documents" in Mozilla-speak) are secured by the
browser. Browsers are easily the most secure computing environment on
the Internet simply because so many developers work on it and so many
people test it. If an analysis tool can find any operations in a web
page that are insecure, then the browser is broken and will need to be
fixed.
Extensions are part of the browser so they can make operations that
break the browser security. One indirect way to break the browser
security is for otherwise secure code to issue window.eval() and pass
a string obtained over an insecure Internet connection. Since AJAX is
very easy to code, simple extensions can easily make this mistake.
But the lack of security comes from the insecure Internet connection,
not from eval().
jjb
--
You received this message because you are subscribed to the Google Groups
"Firebug" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/firebug?hl=en.
