On 25.02.2008, at 06:37, Paul Ferguson wrote:
> I can't wait until NoScript integrates blocking for it... :-)
I doubt it will happen soon. For this to work Giorgio needs
integrate NoScript into Webkit :)
On 25.02.2008, at 20:54, Richard M. Smith wrote:
> I just don't see the big deal here. Developers can create insecure
> applications in most any programming language. Why pick on AIR?
I have been able to exploit a custom AIR app with a simple XSS at
Basecamp in order manipulate data on hosts running this app with
the AIR beta.
Adobe changed the way how AIR handles remote JS, so I personally
didn't find a quick way to circumvent it. Remote JS obviously run
in a different sandbox so it cannot execute AIR API functions.
But I haven't look into sandbox bridging by now.
kthnxbye,
fukami
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
