On Sunday 18 January 2009 10:30, Daniel Cheng wrote: > On Sun, Jan 18, 2009 at 6:13 PM, Florent Daigni?re > <nextgens at freenetproject.org> wrote: > > * svenerichoffmann at gmx.de <svenerichoffmann at gmx.de> [2009-01-18 > > 00:50:17]: > > > >> I think the only "real" solution to guarantee safety > >> is a dedicated freenet browser. > >> > >> Trying to control the behaviour and safety of standard browsers > >> is serious problematic. As Webmaster i know how much information > >> can be gained from visitors. > >> > >> A dedicated browser would also give full control about timings > >> and how much connections to fproxy are made. > >> > > > > Agreed, toad is going on the wrong path here... Just tell the user that > > he *needs* to use a separate browser, if he doesn't do so, it's *his* > > problem. > > > > You've already spent hours^wdays implementing the useless history > > cloacking thingy (which can be easily bypassed anyway), you've > > added one step in the wizard (previously we had an argument > > because you wanted me to keep down to a minimum the number > > of steps) and no one is happy with the current solution! > > > > Not even you! > > Agree. > > This is the kind of code i consider ugly: > - invasive > cross across many layers and class, > when you are "fix"ing the link twice, you know there are some > fundamental design problem. > this kind of magic discourage casual code/patch contributor > - not fixing the real problem ( there are other ways to know if you > are running freenet. > for example, just include a <img src="http://127.0.0.1:8888"; > onLoad="freenetLoaded();" />
IMHO this qualifies as a cross-site scripting attack. Don't browsers have to prevent this already? Just as you can't access a frame opened to another site? > then the website can 99.999% sure you have freenet installed ). > Freenet is illegal in many > place and *will be* illegal everywhere soon. > - reduce usability (copy uri from frost / im ) > > Maybe we should try the another way round: detect if the user use the > same browser > for other web sites and issue a big fat warning for this. But how would we reliably do this? We need full control here, for good security and good performance. We need a custom Freenet browser which talks FCP, and we need to TURN OFF FPROXY BY DEFAULT and warn users that it is insecure and slow to access Freenet via your web browser. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090119/2b4a4610/attachment.pgp>
