On Wed, May 02, 2007 at 11:24:34AM +0200, Udo Giacomozzi wrote: > Hello Rob, > > Thursday, April 26, 2007, 6:28:51 PM, you wrote: > >> "Do you think that a command-line switch to allow the use of specified > >> extensions is enough?" > > RS> No. I'd rather we have an actually thought out security plan instead. > RS> We could add an option like that for now, but it's be a temporary fix > RS> when we should really focus on the correct solution, whatever that is. > > I'd like to *remind* that the MM player pops up a confirmation dialog > when accessing the webcam, for example. This *could* be a solution for > the FileIO problem too.
Yes, more callbacks to the GUI will be needed for this. > Anyway, I see some important things: > > - extensions should be enabled at compile time explicitly (they will > probably be used only for special cases) They are already. > - the user should know in some way when a security relevant extension > is being used by a movie (I would not want that my browser allows > full file system access to any movie I see on a web page) We have a log_security() function which is currently used for loading resources. We should use it for FileIO and similar things too, even if for just saying: we're allowing this (so the user knows). > - in certain cases, extensions should be allowed explicitly and > without bothering the user (important for embedded designs) Wouldn't a config file be enough ? --strk; _______________________________________________ Gnash-dev mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-dev
