On 11.10.2011 04:07, Mike Perry wrote: >> At the moment, I cannot think of any attack vectors once you combine it >> with enabled Torbutton (or a stripped down Tor Browser) where active >> scripting/access to the DOM is disabled completely. > Actually, these attacks are generally prohibited by strong isolation > between the content script and the XUL script. In XUL, you can read > the ciphertext, extract it, decrypt it, and display it in a protected > XUL window without introducing risk, IF all steps are done properly.
I was thinking of the obvious interaction a user expects for encryption of plaintext data: I type data into a web form, when I am done I execute the encrypt command. I don't see how you can isolate web forms in the DOM in a way that it cannot be read in between typing and encrypting the data. -- Moritz Bartl https://www.torservers.net/ _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
