JoeS wrote:
Yes, but only if you know that default policies have been violated.
Er... you can set up policies even if nothing has been violated.
I think at least an alert should be done here
So a site can go into an endless alert loop by violating a security policy in a
setInterval? No, thanks.
This webpage/mail/newsgroup has violated the following default security
policy
If you really thing we should be telling the user in an alert every time we
block an exploit attempt, let me know. I can ship you a build with a few alerts
like that enabled; good luck browsing the web.
Don't know a lot of folks who check the javascript console regularly,
and certainly not the average user. The description there does not
always lead one to the proper violation. In my experience, I had to
guess a lot on what policy was being violated.
File bugs if the error reports are not clear enough; cite specific examples. We
can't fix issues if we don't know about them,
It took me almost 3 years to find out about the CAPS policies in
Mail/News and what they could do. Most users looking for more capability
would not stick around that long.
Sure. That's because the CAPS policies set by default in mailnews are there to
prevent specific exploits. Changes to them are opening up security holes; I
don't see why anyone would be changing any of them.
If your issue is that there is no UI for CAPS configuration in general, there's
a bug on that. Helpwanted.
Decide what?
If the user wants to give up security for the sake of functionality.
The user will do that in 50% of the cases if given such a choice, without any
understanding of either the security or the functionality aspects. That is, in
a situation like this giving users choice (by default) is a great disservice to
them.
For advanced users and for sites that use enablePrivilege the story is
different, of course.
OE shows an alert "do you want to continue running scripts on this page"
OE being an example of a secure e-mail app, then? ;)
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security