Also: https://bugzilla.gnome.org/show_bug.cgi?id=665452
On Mon, Dec 5, 2011 at 5:23 PM, Milan Bouchet-Valat <nalimi...@club.fr> wrote: > Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit : >> Hi all, >> >> I may be missing something, but the really nifty extensions site >> prompted me to ask this, are there not potential security issues with >> extensions being able to be installed by clicking on a webpage? Ans >> since extensions are able to modify the way the UI behaves, could >> someone not make one that steals users' info, make screenshots, steal >> passwords (like emulating the login screen for example), etc? > (Note this applies to any random third-party package users might install > by clicking on a link and providing their password.) > >> I'm sure you thought of all this so I be interested in knowing how you >> protect us (sandboxing, limiting the things API can do, not allowing >> access to the HD except thought given functions, etc). > This has been discussed on this list previously. See > http://lwn.net/Articles/459786/ for a summary and links. > > Basically, the Shell ensures the extension comes from > extensions.gnome.org, which requires a review of the code by other > hackers; and it will never install/update extensions without user action > (modal dialog). But once installed, extensions are not sandboxed and can > do whatever they want to the Shell, or to your files (just like any app > on the system). > > > Cheers > _______________________________________________ > gnome-shell-list mailing list > gnome-shell-list@gnome.org > http://mail.gnome.org/mailman/listinfo/gnome-shell-list -- Jasper _______________________________________________ gnome-shell-list mailing list gnome-shell-list@gnome.org http://mail.gnome.org/mailman/listinfo/gnome-shell-list