On 3/13/11 2:05 PM, Felix Kling wrote:
I file a bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=641342
I hope I have done it right.
Thanks, yes.
I commented on the bug, and we need to fix part of this on our end, but
this protocol handle is fundamentally insecure. You need to either make
it not LOADABLE_BY_ANYONE or force the pages it loads to not have the
system principal (by explicitly setting the owner on the channel you
create to null, say).
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
