When trying out tiddlywiki for the past few days, I had some concerns
that "always allow" permissions for file:// saving via javascript
would enable any and all javascripts loaded from the filesystem to
have free reign over all my bits.
Today, I stumbled across FirefoxPrivilegesPlugin and the discussion at
http://groups.google.com/group/tiddlywiki/msg/c503b956c2c2c6df
helped a lot for installing it as a tiddler, although the instructions
for bookmarklet install did not work for me since I could not find a
bookmarklet link to drag to the toolbar. That posting is over a year
old, but ensuring good javascript hygiene is important enough that
first time users get it right away when visiting tiddlywiki.com
Since I previously did the "always allow" file:// for saving
tiddlywiki 2.6.0, FirefoxPrivilegesPlugin showed those prior
permission grants with warnings (but only after I submitted) and I
removed those grants.
Question:
* Is the bookmarklet form of FirefoxPrivilegesPlugin better to use not
only for convenience (readily at hand for future permission giving)
but also because there is more risk when it is embedded in a
tiddlywiki?
Overall, the principle of least privilege should be applied
proactively for tiddlywiki since doing so after a tiddler compromise
would stunt adoption of this curious self-modifying javascript.
Suggestion:
* Getting-started instructions for tiddlywiki should make it clear
and easy to have good javascript hygiene.
--
You received this message because you are subscribed to the Google Groups
"TiddlyWiki" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/tiddlywiki?hl=en.
