You seem to be suggesting a huge number of settings. I submit the average user will only get confused.
The amazing number of settings of IE that you mention doesn't convince me -- it looks to me more like MS is trying to intimidate users. If you want the user to disable this or that feature before entering a site, fine. On the other hand, why should the user even need to know about this or that feature in the computer world. Stephan On Sat, 19 Feb 2005 15:03:37 +0100, Anthony G. Atkielski <[EMAIL PROTECTED]> wrote: > At this early stage of Firefox public development, it might be a good > time to define a flexible model for controlling exactly what can and > cannot be done in the browser by Web pages and sites. > > Microsoft Internet Explorer had a few interesting controls that allowed > some individualization of control, but it didn't go far enough. Firefox > has a few controls as well, but it doesn't even go as far as MSIE, > whereas it should be going even farther in order to improve security. > > For example, consider these suggestions: > > - Firefox should define a generous number of security categories into > which sites can be grouped, ranging from fully trusted to fully > untrusted. There should be security settings for each category > appropriate to its level by default, but it should be possible to modify > the settings for any category to any degree. > > - The settings for each category should cover every single issue that > might present a security risk, from the simple display of images to the > exact identities of active components or plug-ins that are allowed to > execute, with separate control for downloading (I personally don't like > the idea of ActiveX or anything like it at all, but I imagine the market > will force accommodation of something like this in time). It must be > possible to enable or disable Java, Javascript, active content > (preferably by individual module), and anything else that might open a > door on the local machine. It should be possible to lockdown the > browser so tightly that it can barely display anything beyond plain > text. > > - It should be possible to specify which sites are in which categories. > A default configuration can be provided, and the user should be able to > modify this in any desired way. The list of sites for each category > should allow not only specific FQDNs for sites, but also resource > indicators (http vs. https, ftp, mailto, etc.). Some sort of wildcard > provisions must be made as well: domain.com means "only the URL > domain.com," *.domain.com means "anything in domain.com or a subdomain > of domain.com," and so on. It should be possible to specify both FQDNs > and numeric IP addresses. > > - Some provision for saving and loading the security configuration > should be provided, so that users can load packaged configurations > and/or save configurations they have prepared. It should also be > possible to load partial modifications (modifying the security settings > for only one category, etc.). None of these actions should be possible > from within a Web page--it must not be something that a dishonest site > could do via a Web page, in other words. > > These enhancements would be a huge step forward for security and would > largely eliminate the problems of adware, spyware, viruses, etc., since > conscientious users could lock down their Firefox browser to any desired > degree. > > After using Firefox for a few weeks now, I think the only real > hesitation I have in abandoning MSIE is the lack of features such as > I've outlined above. MSIE is far from ideal, but it still provides more > granular control over security than Firefox does. But if Firefox begins > to provide the same control or better, there will be no real reason to > retain MSIE for anything. > > BTW, I personally don't care if Firefox ever allows anything like > ActiveX. I've never encountered a site that had a truly serious and > legitimate need to use ActiveX controls, and I think the Web would be > better off without them. That includes Flash. > > -- > Anthony > > _______________________________________________ > Mozilla-security mailing list > [email protected] > http://mail.mozilla.org/listinfo/mozilla-security > _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
