"Allowing this script to run may open you to all kinds of malicious attacks by 3rd parties not associated with the party whom you're trusting."
If I give App XYZ super power to do anything, and XYZ gets compromised/hacked then I'll be open to all sorts of attacks. It's not an issue of party A trusting party B. It's an issue of trusting that party B has no security holes in their app whatsoever, and that is one of the hardest things to guarantee. On Tue, Nov 18, 2014 at 8:00 PM, Michaela Merz <michaela.m...@hermetos.com> wrote: > > Yes Boris - I know. As long as it doesn't have advantages for the user > or the developer - why bother with it? If signed code would allow > special features - like true fullscreen or direct file access - it > would make sense. Signed code would make script much more resistant to > manipulation and therefore would help in environments where trust and/or > security is important. > > We use script for much, much more than we did just a year or so ago. > > Michaela > > > > On 11/19/2014 04:40 AM, Boris Zbarsky wrote: > > On 11/18/14, 10:26 PM, Michaela Merz wrote: > >> First: We need signed script code. > > > > For what it's worth, Gecko supported this for a while. See > > < > http://www-archive.mozilla.org/projects/security/components/signed-scripts.html > >. > > In practice, people didn't really use it, and it made the security > > model a _lot_ more complicated and hard to reason about, so the > > feature was dropped. > > > > It would be good to understand how proposals along these lines differ > > from what's already been tried and failed. > > > > -Boris > > > > > >