Hey John, Yeah I know,but I just their could be more ways to help protect users and something like Firebug Lite designed specificlly for Security could double the protection or at least help it. I am trying to find some middle ground in building something like Firebug Lite Extension that would not only be for developers to locate bugs,but also be bug finder for everyday users who visit sites.
Just my opinion. :) On Feb 24, 1:47 pm, John J Barton <[email protected]> wrote: > On Feb 24, 10:40 am, Eric Dorman <[email protected]> wrote: > > > Hey guys, Thanks for that great info on that stuff. > > > Is their a way to take or use a Firebug Lite Extension to help protect > > users from Security issues in the browser? I don't if I am making > > myself clear on this,but I am just wondering if their could be some > > way to design an extension to help protect users from Security Hacks > > or attacks in the browser. > > I believe the answer is "no" because the browser already protects > users from attack. > > jjb > > > > > I know this probably sounds like a anti virus type issue I am trying > > to solve,but it's more than that I am just wondering if their a is a > > way to help protect people from malious code in the browser. > > > Thanks for the great information you gave me. > > > Thanks & God Bless, > > Eric Dorman > > > On Feb 24, 11:53 am, John J Barton <[email protected]> > > wrote: > > > > On Feb 23, 10:26 pm, Pedro Simonetti Garcia <[email protected]> > > > wrote: > > > > > Hi Eric, > > > > > Taking YSlow as an example, I suppose it would be good as a starting > > > > point to define the "security rules" your extension will be looking for, > > > > like "don't use window.eval()" etc. > > > > And this could be very difficult since someone like myself will object > > > that there is nothing about window.eval() that is the least bit > > > insecure! > > > > window.eval() is exactly as secure as "<script>" tags or > > > "document.write()" or "new Function()". These all compile and run > > > Javascript code. Since the code that calls window.eval() is also > > > Javascript, window.eval() is not intrinsically insecure. > > > > Web pages ('content documents" in Mozilla-speak) are secured by the > > > browser. Browsers are easily the most secure computing environment on > > > the Internet simply because so many developers work on it and so many > > > people test it. If an analysis tool can find any operations in a web > > > page that are insecure, then the browser is broken and will need to be > > > fixed. > > > > Extensions are part of the browser so they can make operations that > > > break the browser security. One indirect way to break the browser > > > security is for otherwise secure code to issue window.eval() and pass > > > a string obtained over an insecure Internet connection. Since AJAX is > > > very easy to code, simple extensions can easily make this mistake. > > > But the lack of security comes from the insecure Internet connection, > > > not from eval(). > > > > jjb -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
