Mitch wrote:
>What "implementation issues" are you concerned about? Anything specific?
>
I think he is concerned about the same thing I am: It is a fact that
almost all security holes discovered in the last time (in both Mozilla
and 4.x) need Javascript to work or often even are about bugs in the
JavaScript/DOM implementation and their security policies. In other
words, if you disable JavaScript, you are protected from most exploits.
Unfortunately, disabling JavaScript is not feasible in the current web
(at least not for me).
I am sure that you know that there are often tradeoffs between
functionality and security.
AOL/Netscape being a content provider often takes the functionality
route. (Some people will remember the discussion about remote chrome and
the arguments of some Netscape employees for enabling it.)
Some users care more about security and are willing to accept some
functionality limitations for that.
It would be nice to compile a list of these dangerous functions and then
implement pref(s) to disable them. Hopefully, this will protect people
which disable these functions from some of the future exploits, or it
will offer a quick workaround, if an exploit is found.
I agree that we should use a new thread for this discussion.
