> Ian G wrote: >> So maybe the answer is that if the user chooses to >> save the file, the save process checks to see if any >> javascript is in there, and then warns the user as >> if it were an email with exe attachment. I.e., it >> says the same thing as if an exe was received in >> email: >> >> this page contains programs and may do damage >> like any virus, are you sure you want to save it? >> >> After saving it, any viewing of the saved page >> will cause it to run with full privileges! > > The issue with that is that the warning, which appears on save, and the > potentially dangerous action (loading) can be months apart.
Of course. Just to clarify my original remarks, I was trying to determine a useful model of the problem rather than solve it, as the original posts had a lot of info and no clear (to me) description. What I didn't say was this: This is a really hard problem. It's the clash of two things that are insecure in principle but secure in practice, colliding. At that collision, there is no easy answer. For those seeking a real solution, as opposed to a "best efforts," which is the only practical way forward, have a look at capabilities; this is a new-ish way of architecturing secure systems, that deals with these sorts of questions. However, unless you are prepared to throw the browser out and start again, this is not realistic for the here and now of Mozilla's Firefox team. I think Tyler mentioned Polaris, this is a browser that uses caps. It's a research project, rather than a ready-to-compete browser. iang _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security