On Feb 24, 10:40 am, Eric Dorman <[email protected]> wrote: > Hey guys, Thanks for that great info on that stuff. > > Is their a way to take or use a Firebug Lite Extension to help protect > users from Security issues in the browser? I don't if I am making > myself clear on this,but I am just wondering if their could be some > way to design an extension to help protect users from Security Hacks > or attacks in the browser.
I believe the answer is "no" because the browser already protects users from attack. jjb > > I know this probably sounds like a anti virus type issue I am trying > to solve,but it's more than that I am just wondering if their a is a > way to help protect people from malious code in the browser. > > Thanks for the great information you gave me. > > Thanks & God Bless, > Eric Dorman > > On Feb 24, 11:53 am, John J Barton <[email protected]> > wrote: > > > On Feb 23, 10:26 pm, Pedro Simonetti Garcia <[email protected]> > > wrote: > > > > Hi Eric, > > > > Taking YSlow as an example, I suppose it would be good as a starting > > > point to define the "security rules" your extension will be looking for, > > > like "don't use window.eval()" etc. > > > And this could be very difficult since someone like myself will object > > that there is nothing about window.eval() that is the least bit > > insecure! > > > window.eval() is exactly as secure as "<script>" tags or > > "document.write()" or "new Function()". These all compile and run > > Javascript code. Since the code that calls window.eval() is also > > Javascript, window.eval() is not intrinsically insecure. > > > Web pages ('content documents" in Mozilla-speak) are secured by the > > browser. Browsers are easily the most secure computing environment on > > the Internet simply because so many developers work on it and so many > > people test it. If an analysis tool can find any operations in a web > > page that are insecure, then the browser is broken and will need to be > > fixed. > > > Extensions are part of the browser so they can make operations that > > break the browser security. One indirect way to break the browser > > security is for otherwise secure code to issue window.eval() and pass > > a string obtained over an insecure Internet connection. Since AJAX is > > very easy to code, simple extensions can easily make this mistake. > > But the lack of security comes from the insecure Internet connection, > > not from eval(). > > > jjb -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
