Marine wrote: > Boris Zbarsky a écrit : >> Marine wrote: >> >>> However, I don't see how to put all the code in a signed jar, as JSP >>> will generate HTML code dynamically for each client request. >> >> Is it possible to dynamically generate the signed jar? Or move the >> logic from server to client? >> > I fear it won't be easy... and I don't want to waste a lot of time on > this, to finally see it's not possible :( > Except if someone can tell me he has already done that, and how ? > >> I don't claim this is easy to do, basically. The signed jar model is >> not the easiest thing in the world to work with. :( >> > Yes, another way to certficate code would be nice. For example, register > in Firefox the url of a given website that may use advanced privileges. > But maybe it wouldn't be safe, I'm a newbie in browser security !
The signed script feature is something that we really want to kill. As you have noticed, it is far from easy to work with. Additionally it increases our attack surface for people trying to hack firefox and its users a lot. The recommended solution is instead to write a firefox extension. This extension can download any dynamic resource you want without having to bother with signing. / Jonas _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
