J. Greenlees writes: > better now than later. much easier to include while code base isn't as > large as it will no doubt grow to over time.
I agree, which is why I'm suggesting it now, while there may still be time. > like the full suite almost does? What do you mean by the "full suite"? > I have tested my browser against the idn sppof vulnerability, it passed > as not vulnerable, yet only thing I did was disable java, javascript and > deny popup windows. OK, but what happens when you want to deny popups, Java, and Javascript for some sites, but not for others? Currently, Java and Javascript are all-or-nothing--either you enable them for every site, or you don't enable them for any site. That's far too inflexible and it will cause problems down the line. > possible, but a complex proposal. Yes. Fortunately, it need not be included in early versions of the browser; it could always be added later, if there's a demand for it. In contrast, the basic idea of security categories and settings needs to be implemented early, before security problems start to show up. > no flash, no activex, noclientside scripting allowed with mozilla & > netscape. won't use anything that doesn't allow a mouse click to remove > those functions. I tend to agree. I allow Javascript on reasonably trustworthy sites, but ActiveX and Java are always disabled. It's important to be able to control this on a site basis, though, which is why I'd like to see categories and settings similar to MSIE (but much more evolved, for better flexibility--the MSIE implementation lacks some features). -- Anthony _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
