Daniel Veditz wrote: > > Last week the "Wiretap" exploit came to light and this build has fixes for > that exploit (as does the Mozilla trunk, although the exploit wasn't > effective against Mozilla unless you were foolish enough to enable > javascript in mail/news). I cannot see any fix for the Wiretap exploit in the trunk. It is still possible with 0.8 if you enable JS for Mail & News. I cannot comment in bug 66938 cause it is confidental, so I do here: The fix in the Netscape 6.0x branch seems to be http://bugzilla.mozilla.org/showattachment.cgi?attach_id=23769 . Why do we want to do something like that? If we allow JS for mail at all, why restrict access to e.g. someimage.src? What we want to prevent is access to other parts of a message. Thus, the clean way would be to place attachments in an <iframe> and restrict access to parent.* from within. That would solve the problems with style too (see news://news.mozilla.org/3A843605.7971EF63%40clarence.de ). Clarence
Wiretap exploit (was: Re: next Netscape release)
Clarence (Andreas M. Schneider) Thu, 15 Feb 2001 18:22:22 -0800
- Re: Wiretap exploit (was: Re: next Netscap... Clarence (Andreas M. Schneider)
- Re: Wiretap exploit (was: Re: next Ne... Mitchell Stoltz
