On Sat, 30 Jun 2001, Stuart Ballard wrote:
> Ian Hickson wrote:
> >
> > > Does that include giving remote html documents access to modify (their
> > > instance of) html.css?
> >
> > If they can get hold of it, yes. The CSSOM (rightly) gives no way for
> > script to get a pointer to the UA or user stylesheets, though.
>
> How sure are you that they can't get hold of it?
Pretty sure.
> How secure would you feel if you knew that there was a
> remote-write-access-to-your-local-disk exploit that would be possible
> if they could get hold of a pointer to html.css?
It wouldn't be write access to the hard disk; but I wouldn't like it if
script could, on the fly, change my user stylesheet preferences, even on
a per-session basis.
> The reason I ask is that, based on other subthreads here, it looks like
> we want to move to a model where XBL rules added through html.css are
> trusted.
Ok... (We had better make sure none of the methods of those bindings do
anything dodgy, btw!)
> This opens up an exploit if a remote document can modify its instance
> of html.css, since any bindings it adds through html.css would execute
> trusted.
Sure. Thankfully, that can't be done. (Or if it can, it's a very serious
privacy bug.)
> Based on your knowledge of CSSOM, would you feel comfortable making
> this change without adding extra restrictions (eg ensuring that they
> couldn't modify html.css even if they found it)?
I don't see the point. We have a security model here ("you can't get
access to the stylesheet"), we should rely on it working. Using multi-tier
security models seems needlessly wasteful. (Also, how would you test it?)
It would be a serious privacy bug even if you could _read_ the UA or user
stylesheets through the CSSOM.
ObDisclaimer: I'm no security expert!
--
Ian Hickson )\ _. - ._.) fL
Netscape, Standards Compliance QA /. `- ' ( `--'
+1 650 937 6593 `- , ) - > ) \
irc.mozilla.org:Hixie _________________________ (.' \) (.' -' __________
