[Apologies for the delay in replying.]
Nigel McFarlane wrote:
Not exactly. The point of trust is on reload, not on save. The MOTW is merely metadata about the file's origin. I might configure my Firefox, for example, to not alert for all content saved from www.mybank.com.
That's a matter of perspective. If you have a web-centric view of the world, you see everything through the lens of a browser, then I agree with you. But if you take a wider view that Firefox is a desktop tool, then special marking of one kind of saved document but not others doesn't make much sense. Saving documents imports them into the desktop environment.
If we could sanitise the documents to guarantee their safety at save-time, I would agree with you.
While those local sources may be buggy, such bugs are unlikely to do the equivalent of "rm -rf /*". If you run code you didn't write, however, it could do anything. You don't know.
Well, first that's a probabilistic argument. You're saying that it's more probable that evil code written by others will do damage than accidental code written by a developer.
No one can determine which is more probable; so it's not a very powerful argument.
That's ridiculous. JavaScript normally can't do rm -rf /*; you have to carefully code an exploit to use a bug in the browser to do so. Are you saying it's just as likely that a web developer accidentally comes up with such an exploit while trying to write legit code, as it is that a malicious coder writes one in full knowledge of what they are doing?
There's no reason to mark 100% of saved web pages unsafe because 0.01% might actually be so. That's overkill.
If you have some reliable way of analysing the page content to determine its safety, then I quite agree.
So I've argued earlier that there are a few tests at least that can be applied to determine safety; eg the absence of JS code.
And plugins.
I'd agree that it may well be possible to write a checker which didn't apply the MOTW to certain documents you thought were safe - but it would be risky, and a obvious potential source of security holes.
The thing is that the MOTW is a credential. All kinds of systems can be hung off of a credential [ ... ]
Why is any of that bad? As long as Mozilla makes sure there's exactly one, correct, MOTW in a page when it saves it, none of the above is a problem or a security risk.
Why don't we fully support document.all?
Because there are other, standards-compliant ways to achieve the same thing. That is not true in the case under consideration.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
