On Sun, Aug 23, 2009 at 9:02 PM, Gustavo Noronha Silvag...@gnome.org wrote:
On Sat, 2009-08-22 at 22:05 -0700, Adam Barth wrote:
which disables this behavior. For legacy reasons, we default this
setting to true, but I'd like to encourage to use the false
setting by default in your browser, especially if your browser runs on
Linux.
This issue is particularly important on Linux because many Linux users
use a network file system, such as AFS or NFS, which maps the entire
world into the local file system. For example, if I made my home
directly world-readable, it's quite likely that I would be able to
control this URL on your user's machines:
I notice that WebKitGTK+ disables this by default, good =).
Awesome. :)
I think, though, that the AFS/NFS issue you mention is more general and
shouldn't be a motivating factor. We have many GNU/Linux users not in
corporate networks, these days, as well, and I think we should not be
designing everything for big installations (those usually have admins
who can worry about this kind of issue).
Also, it looks like you can access windows shares using
file://server/folder/file.html, so this doesn't seem to be UNIX-specific
in any way. I also bet Mac can be made to use NFS, and AFS, so, again, I
fail to see this as particularly important on non-Mac UNIX-likes.
I'm not sure I quite followed your line of reasoning here. Are you
suggesting that everyone should use the more secure setting or are you
saying that you don't think this is an important security measure in
non-enterprise settings?
I agree that everyone should disable universal access for file URLs.
In fact, I think we should make it the default because the current
default is pretty dangerous.
Adam
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev