That would be bad. How could an attacker modify html.css any more than
any local file?
-Mitch
Stuart Ballard wrote:
>
> How sure are you that they can't get hold of it? How secure would you
> feel if you knew that there was a remote-write-access-to-your-local-disk
> exploit that would be possible if they could get hold of a pointer to
> html.css?
>
> The reason I ask is that, based on other subthreads here, it looks like
> we want to move to a model where XBL rules added through html.css are
> trusted. This opens up an exploit if a remote document can modify its
> instance of html.css, since any bindings it adds through html.css would
> execute trusted. Based on your knowledge of CSSOM, would you feel
> comfortable making this change without adding extra restrictions (eg
> ensuring that they couldn't modify html.css even if they found it)?
>
> Thanks,
> Stuart.
>
- Re: Is the security model XBL uses wrong? Neil
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? David Hyatt
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Ian Hickson
- Re: Is the security model XBL uses wrong? Ian Hickson
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Ian Hickson
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Mitchell Stoltz
- Re: Is the security model XBL uses wrong? Ian Hickson
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Ian Hickson
- Re: Is the security model XBL uses wrong? Axel Hecht
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Eric Murphy
- Re: Is the security model XBL uses wrong? Ian Hickson
