On Tue, Feb 26, 2008 at 9:46 AM, Bruno Bowden <[EMAIL PROTECTED]> wrote:
> Caja in it's most secure variation prevents the loading of images as that > leaks information too. We need to have a balance between security and > practicalities - this will probably vary depending on the context in which > gadgets are used. Yeah, but not allowing images is pretty much out of the question. You may as well not render gadgets :) If all images are forced through a rewriting proxy, this might work, but otherwise it's just not feasible. Anyway, I think the IP leaking isn't that big of a deal here now. > > > On Mon, Feb 25, 2008 at 6:05 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: > > > Actually, you're right -- we won't be forcing images through a proxy > most > > likely, so they could always use that vector if they really wanted to > > steal > > IPs. > > > > On Mon, Feb 25, 2008 at 5:57 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > > > > > On Mon, Feb 25, 2008 at 5:47 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: > > > > Caja will eliminate this in the long run (as well as my other > > proposed > > > way > > > > to steal the IP). > > > > > > I'm not sure I believe this. In theory, sure. In practice I suspect > > > that a policy that prevented the IP address from leaking in any > > > possible way would also make it very difficult to write cool gadgets. > > > > > > I hope to be proved wrong, though. > > > > > > Cheers, > > > Brian > > > > > > > > > > > -- > > ~Kevin > > > > If you received this email by mistake, please delete it, cancel your > mail > > account, destroy your hard drive, silence any witnesses, and burn down > the > > building that you're in. > > > -- ~Kevin If you received this email by mistake, please delete it, cancel your mail account, destroy your hard drive, silence any witnesses, and burn down the building that you're in.
