Jonas Sicking a écrit :
> Marine wrote:
>
>> Boris Zbarsky a écrit :
>>
>>> Marine wrote:
>>>
>>>
>>>> However, I don't see how to put all the code in a signed jar, as JSP
>>>> will generate HTML code dynamically for each client request.
>>>>
>>> Is it possible to dynamically generate the signed jar? Or move the
>>> logic from server to client?
>>>
>>>
>> I fear it won't be easy... and I don't want to waste a lot of time on
>> this, to finally see it's not possible :(
>> Except if someone can tell me he has already done that, and how ?
>>
>>
>>> I don't claim this is easy to do, basically. The signed jar model is
>>> not the easiest thing in the world to work with. :(
>>>
>>>
>> Yes, another way to certficate code would be nice. For example, register
>> in Firefox the url of a given website that may use advanced privileges.
>> But maybe it wouldn't be safe, I'm a newbie in browser security !
>>
>
> The signed script feature is something that we really want to kill. As
> you have noticed, it is far from easy to work with. Additionally it
> increases our attack surface for people trying to hack firefox and its
> users a lot.
>
> The recommended solution is instead to write a firefox extension. This
> extension can download any dynamic resource you want without having to
> bother with signing.
>
> / Jonas
>
OK, nice to know the general development tendancy, to choose the better
way to do things.
So I will write an extension.
Thanks again for your replies.
Marine
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
