Re: Is the security model XBL uses wrong?

[Stuart Ballard]

Ian Hickson wrote:
> 
> > Does that include giving remote html documents access to modify (their
> > instance of) html.css?
> 
> If they can get hold of it, yes. The CSSOM (rightly) gives no way for
> script to get a pointer to the UA or user stylesheets, though.

How sure are you that they can't get hold of it? How secure would you
feel if you knew that there was a remote-write-access-to-your-local-disk
exploit that would be possible if they could get hold of a pointer to
html.css?

The reason I ask is that, based on other subthreads here, it looks like
we want to move to a model where XBL rules added through html.css are
trusted. This opens up an exploit if a remote document can modify its
instance of html.css, since any bindings it adds through html.css would
execute trusted. Based on your knowledge of CSSOM, would you feel
comfortable making this change without adding extra restrictions (eg
ensuring that they couldn't modify html.css even if they found it)?

Thanks,
Stuart.