On 04/11/2009 15:49, Ben Bucksch wrote:
As requested during the review of autoconfig, I would like to pose the fetch ISP part of the feature for security review.
On the whole, I would say that it should be Mozilla's working practice to aggressively promote this sort of work. We need improvements in security and usability, and they won't be coming on a silver platter from elsewhere; if you can do this, by all means.
I read the rest of the post, and where I saw/understood the security weaknesses presented, these seemed to be acceptable risks of attacks that would occur in the fullness of time, by which time you can better refine and develop the proposals. E.g., acknowledge, accept, mitigate later.
my 2c. iang _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
