Neil wrote: > > I think Stuart would be happy if XBL used its attacher's security > principal. I am guessing he wants to place a binding in > resource:/res/html.css and get privileges on the bound XBL. Is that > still a security hole? (probably:-) Yes, that's exactly what I want - you expressed it much more succinctly than I did. Either that, or used the XBL document's principal but forbid access to trusted XBL from untrusted CSS (much as trusted .js files cannot be invoked <script src=""> in untrusted html). Thanks for the clearer explanation :) Stuart.
- Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Ben Bucksch
- Re: Is the security model XBL uses wrong? David Hyatt
- Re: Is the security model XBL uses wrong? David Hyatt
- Re: Is the security model XBL uses wrong? Neil
- Re: Is the security model XBL uses wrong? Neil
- Re: Is the security model XBL uses wrong? Alex Fritze
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? David Hyatt
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? David Hyatt
- Re: Is the security model XBL uses wrong? Neil
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? Stuart Ballard
- Re: Is the security model XBL uses wrong? David Hyatt
- Re: Is the security model XBL uses wrong? Stuart Ballard
