In some mail from Barry Fitzgerald, sie said: > Darren Reed wrote: > >>>A simple solution would be to add the shell protocol to this list. > >>>Personally I think a secure blacklist is hard to maintain as new > >>>dangerous external protocols could be invented by third-parties leaving > >>>Mozilla vulnerable again. > >>> > >>Completely agreed. > >> > >>There should be a whitelist, not a blacklist... a safe protocols list. > > > >And what would happen? > > > >Nobody would configure anything but those. > > > >And what would happen next? > > > >People would find ways to put their "new stuff" inside the "safe ones". > > > >Kind of like how "http" is declared safe (but is it really??) and so > >every man and their dog tunnels their proprietary stuff through that > >because it'll go through firewalls. > > And you're suggesting that allowing local protocols to run local code > per the background call of a website is better?
I'm not suggesting anything other than what I said. Darren _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
