With MOTW in place, Mozilla and Firefox trusts Word documents more than it trusts web documents, passing them through the file-save cycle without modification. That is silly.
Not exactly. The point of trust is on reload, not on save. The MOTW is merely metadata about the file's origin. I might configure my Firefox, for example, to not alert for all content saved from www.mybank.com.
That's a matter of perspective. If you have a web-centric view of the world, you see everything through the lens of a browser, then I agree with you. But if you take a wider view that Firefox is a desktop tool, then special marking of one kind of saved document but not others doesn't make much sense. Saving documents imports them into the desktop environment.
This thread's about supporting two views of the world: the web-centric view, and the desktop/command line view used by developers.
While those local sources may be buggy, such bugs are unlikely to do the equivalent of "rm -rf /*". If you run code you didn't write, however, it could do anything. You don't know.
Well, first that's a probabilistic argument. You're saying that it's more probable that evil code written by others will do damage than accidental code written by a developer.
No one can determine which is more probable; so it's not a very powerful argument.
Secondly, you're saying that the unknown is more risky than accidents in the domain of the known. That's also a probabilistic argument. I see the need to catch both kinds if possible; I don't see the need to especially fear risk in either case.
No - the fact that the 0.01% of criminals will do nasty things to Firefox users who will then come and complain loudly to us.
Fair enough, but that's a reputation argument: "our reputation will suffer if we don't do something". I agree entirely. I just say "don't choose a solution that might also cause reputation problems".
There's no reason to mark 100% of saved web pages unsafe because 0.01% might actually be so. That's overkill.
If you have some reliable way of analysing the page content to determine its safety, then I quite agree.
So I've argued earlier that there are a few tests at least that can be applied to determine safety; eg the absence of JS code. If we test conservatively, then perhaps 5% rather than 0.01% are caught as "possibly problematic". That's still far less than 100%.
The thing is that the MOTW is a credential. All kinds of systems can be hung off of a credential [ ... ]
Why is any of that bad? As long as Mozilla makes sure there's exactly one, correct, MOTW in a page when it saves it, none of the above is a problem or a security risk.
Why don't we fully support document.all? The line has to be drawn at some point between merely following others and acting in the best interests of the web. Non-standard, unfriendly and unnecessary: three strikes in my view.
- N. _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
