Hey guys, Thanks for that great info.
If their is possibly a way to access the browser from a web app how would you do that or is it even possible? I think you all know what I am trying to build here,but is their a way to access or use pieces of the browser without breaking it? I know you guys would probably say just make an add on if you want to interact with the browser,but I am wondering if their is anyway you could interact with the browser or access certain tools of the browser with a web app? Oh and I hope Firebug 1.5.2 is stable. Thanks & God Bless, Eric Dorman On Feb 24, 8:34 pm, Pedro Simonetti Garcia <[email protected]> wrote: > Hi there, > > 2010/2/24 John J Barton <[email protected]>: > > > > > On Feb 24, 10:40 am, Eric Dorman <[email protected]> wrote: > >> Hey guys, Thanks for that great info on that stuff. > > >> Is their a way to take or use a Firebug Lite Extension to help protect > >> users from Security issues in the browser? I don't if I am making > >> myself clear on this,but I am just wondering if their could be some > >> way to design an extension to help protect users from Security Hacks > >> or attacks in the browser. > > > I believe the answer is "no" because the browser already protects > > users from attack. > > JJB made some really good observations. > > I thought that you were talking about an extension that helps > *developers* build more secure web applications, and not > exactly an "extension to help protect users". > > Let's say you visit a malicious website and it infects your > computer with some malware. There's no way to Firebug > Lite prevent this from happening, once the infection is a > result of a weakness in the browser. > > I'm not a security expert, so I may be not the right person > to talk about this subject, but I do believe there are some > rules / guidelines that *developers* could follow to make > their web application more safe. > > I mentioned "window.eval()" because it was the first thing > that came in my mind, but I do agree with what JJB said, > that "window.eval()" itself isn't unsafe, but it could cause > a security problem if you evaluate an external script from > a non trusted party, or from a non secure protocol. > > One better example I could give is the use of HTTP protocol. > HTTP is not a safe protocol, and it could allow the > "Man-in-the-middle attack". So a better way to protect > your web application is to use only safe protocols (like > HTTPS) for all resources loaded in your app (scripts, > stylesheets, images, etc). > > http://en.wikipedia.org/wiki/Man-in-the-middle_attack > > So, an extension could alert the developer with a message > "you are using an unsafe protocol, use HTTPS instead". > > But even so, detecting some other security problems can > be very hard. For example, how could the extension know > that you're using an "window.eval()" to evaluate an external > script? There's no way to know without analyzing the source > code, and implement an automatic analysis for that would > be very hard. > > regards, > > Pedro Simonetti. > > > > > > > jjb > > >> I know this probably sounds like a anti virus type issue I am trying > >> to solve,but it's more than that I am just wondering if their a is a > >> way to help protect people from malious code in the browser. > > >> Thanks for the great information you gave me. > > >> Thanks & God Bless, > >> Eric Dorman > > >> On Feb 24, 11:53 am, John J Barton <[email protected]> > >> wrote: > > >> > On Feb 23, 10:26 pm, Pedro Simonetti Garcia <[email protected]> > >> > wrote: > > >> > > Hi Eric, > > >> > > Taking YSlow as an example, I suppose it would be good as a starting > >> > > point to define the "security rules" your extension will be looking > >> > > for, > >> > > like "don't use window.eval()" etc. > > >> > And this could be very difficult since someone like myself will object > >> > that there is nothing about window.eval() that is the least bit > >> > insecure! > > >> > window.eval() is exactly as secure as "<script>" tags or > >> > "document.write()" or "new Function()". These all compile and run > >> > Javascript code. Since the code that calls window.eval() is also > >> > Javascript, window.eval() is not intrinsically insecure. > > >> > Web pages ('content documents" in Mozilla-speak) are secured by the > >> > browser. Browsers are easily the most secure computing environment on > >> > the Internet simply because so many developers work on it and so many > >> > people test it. If an analysis tool can find any operations in a web > >> > page that are insecure, then the browser is broken and will need to be > >> > fixed. > > >> > Extensions are part of the browser so they can make operations that > >> > break the browser security. One indirect way to break the browser > >> > security is for otherwise secure code to issue window.eval() and pass > >> > a string obtained over an insecure Internet connection. Since AJAX is > >> > very easy to code, simple extensions can easily make this mistake. > >> > But the lack of security comes from the insecure Internet connection, > >> > not from eval(). > > >> > jjb > > > -- > > You received this message because you are subscribed to the Google Groups > > "Firebug" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group > > athttp://groups.google.com/group/firebug?hl=en. -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
