Boris Zbarsky wrote:
JoeS wrote:
Yes, but only if you know that default policies have been violated.
Er... you can set up policies even if nothing has been violated.
I think at least an alert should be done here
So a site can go into an endless alert loop by violating a security
policy in a setInterval? No, thanks.
This webpage/mail/newsgroup has violated the following default
security policy
If you really thing we should be telling the user in an alert every time
we block an exploit attempt, let me know. I can ship you a build with a
few alerts like that enabled; good luck browsing the web.
Don't know a lot of folks who check the javascript console regularly,
and certainly not the average user. The description there does not
always lead one to the proper violation. In my experience, I had to
guess a lot on what policy was being violated.
File bugs if the error reports are not clear enough; cite specific
examples. We can't fix issues if we don't know about them,
It took me almost 3 years to find out about the CAPS policies in
Mail/News and what they could do. Most users looking for more
capability would not stick around that long.
Sure. That's because the CAPS policies set by default in mailnews are
there to prevent specific exploits. Changes to them are opening up
security holes; I don't see why anyone would be changing any of them.
If your issue is that there is no UI for CAPS configuration in general,
there's a bug on that. Helpwanted.
Decide what?
If the user wants to give up security for the sake of functionality.
The user will do that in 50% of the cases if given such a choice,
without any understanding of either the security or the functionality
aspects. That is, in a situation like this giving users choice (by
default) is a great disservice to them.
For advanced users and for sites that use enablePrivilege the story is
different, of course.
OE shows an alert "do you want to continue running scripts on this page"
OE being an example of a secure e-mail app, then? ;)
-Boris
No I certainly don't consider OE a secure e-mail app. My main interest
is newsgroups, and how the fact that the default CAPS policy, as it is
written, applies equally to mail and news. I'm fine with the "phone tap"
fixes in mail, but they leave the impression that gecko is 'less
capable' when applied to newsgroup posts. I am speaking about a large
segment of OE, and Gecko users that use scripts, and graphics to create
artful presentations. These are in effect, mini webpages that would
render quite happily in the browser. While a strict policy is desirable
for mail, some easy way to modify news security separately could be helpful.
// Restrictions on the DOM for mail/news - see bugs 66938 and 84545
pref("capability.policy.mailnews.sites", "mailbox: imap: news:";);
Mail and news have very different security needs IMHO
Joe
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
