Hey guys, Thanks for that great info on that stuff. Is their a way to take or use a Firebug Lite Extension to help protect users from Security issues in the browser? I don't if I am making myself clear on this,but I am just wondering if their could be some way to design an extension to help protect users from Security Hacks or attacks in the browser.
I know this probably sounds like a anti virus type issue I am trying to solve,but it's more than that I am just wondering if their a is a way to help protect people from malious code in the browser. Thanks for the great information you gave me. Thanks & God Bless, Eric Dorman On Feb 24, 11:53 am, John J Barton <[email protected]> wrote: > On Feb 23, 10:26 pm, Pedro Simonetti Garcia <[email protected]> > wrote: > > > Hi Eric, > > > Taking YSlow as an example, I suppose it would be good as a starting > > point to define the "security rules" your extension will be looking for, > > like "don't use window.eval()" etc. > > And this could be very difficult since someone like myself will object > that there is nothing about window.eval() that is the least bit > insecure! > > window.eval() is exactly as secure as "<script>" tags or > "document.write()" or "new Function()". These all compile and run > Javascript code. Since the code that calls window.eval() is also > Javascript, window.eval() is not intrinsically insecure. > > Web pages ('content documents" in Mozilla-speak) are secured by the > browser. Browsers are easily the most secure computing environment on > the Internet simply because so many developers work on it and so many > people test it. If an analysis tool can find any operations in a web > page that are insecure, then the browser is broken and will need to be > fixed. > > Extensions are part of the browser so they can make operations that > break the browser security. One indirect way to break the browser > security is for otherwise secure code to issue window.eval() and pass > a string obtained over an insecure Internet connection. Since AJAX is > very easy to code, simple extensions can easily make this mistake. > But the lack of security comes from the insecure Internet connection, > not from eval(). > > jjb -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
