Since we shipped a fix for this in 6.01, I have opened bug 66938 for
public viewing. Let's continue this discussion there. I've posted my
reply in the bug.
-Mitch
Clarence (Andreas M. Schneider) wrote:
> Daniel Veditz wrote:
>
>> Last week the "Wiretap" exploit came to light and this build has fixes for
>> that exploit (as does the Mozilla trunk, although the exploit wasn't
>> effective against Mozilla unless you were foolish enough to enable
>> javascript in mail/news).
>
>
> I cannot see any fix for the Wiretap exploit in the trunk.
> It is still possible with 0.8 if you enable JS for Mail & News.
>
> I cannot comment in bug 66938 cause it is confidental, so I
> do here: The fix in the Netscape 6.0x branch seems to be
> http://bugzilla.mozilla.org/showattachment.cgi?attach_id=23769 .
> Why do we want to do something like that? If we allow JS for
> mail at all, why restrict access to e.g. someimage.src?
>
> What we want to prevent is access to other parts of a message.
> Thus, the clean way would be to place attachments in an <iframe>
> and restrict access to parent.* from within. That would solve
> the problems with style too (see
> news://news.mozilla.org/3A843605.7971EF63%40clarence.de ).
>
> Clarence
