So maybe the answer is that if the user chooses to save the file, the save process checks to see if any javascript is in there, and then warns the user as if it were an email with exe attachment. I.e., it says the same thing as if an exe was received in email:
this page contains programs and may do damage like any virus, are you sure you want to save it?
After saving it, any viewing of the saved page will cause it to run with full privileges!
The issue with that is that the warning, which appears on save, and the potentially dangerous action (loading) can be months apart.
Or. possibly one could strip the code out of it. Whether that is plausible depends on the page I suppose; I wouldn't suggest a parsing phase, as they are too easy to defeat, in theory, and the attacker does have access to your parser.
We could start saving web pages by default in "safe" mode - as a serialisation of their current DOM (so they look right), with script stripped out. That assumes, of course, we can strip it out...
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
