On Dec 19, 2005, at 2:40 PM, Ian Hickson wrote:
"Untrusted content" is unclear. It implies the existence of
something that isn't "untrusted content", i.e. "trusted content".
Where is that defined? I do not believe it is defined anywhere, in
which case specifying its behavior seems non-useful.
I have rephrased this sentence.
I think this section is still somewhat problematic because a
reasonable
behavior is to allow "get" posts to "file:" URLs from a local file
document that is not marked trusted in any special way, as such a
document can already do normal "file:" URL loads anyway through other
mechanisms.
Um, they shouldn't be able to. Or at least, in many UAs they can't.
Do you know of UAs that will prevent a file: URL document from
loading another file: URL in a frame or iframe? Or apply any
restrictions to scripting access to the resulting document. I don't
know of any that will. Form submission to a file: URL with the get
method doesn't afford any new avenues of attack that this capability
doesn't.
And this is much less risky than allowing execution of prgrams or
writing/deleting of files.
Depends on what file you allow access to (/dev/mouse?)
I don't think reading /dev/mouse will specifically do anything bad,
but I see your point. For file: in file: inclusion I think it would
be wise to exclude certain system paths such as /dev and /etc. I
think this may be done already.
Regards,
Maciej
