Firefox security strategy (was: Firefox goodies)
Bill McGonigle
bill at bfccomputing.com
Thu Dec 29 18:10:01 EST 2005
On Dec 29, 2005, at 16:04, Ben Scott wrote:
> Then again, I don't really *know* anything about Firefox's
> internals; I've just read blurbs and articles here and there. Maybe
> most of what I want is already there.
Firefox does have some limitations on JavaScript. For instance, I
recently read an article on using a XML proxy on your server to do
interesting things with AJAX because most JavaScript implementations
won't let you open an XMLHTTPRequest to a server other than the one the
script came from. So, if you want to do, say, Amazon lookups using web
services, you can't go right to Amazon - you have to proxy through your
server. This has all sorts of implications for services that limit
transaction counts per IP per day and so you can't do certain classes
of useful things.
In the same way you can't open up a file:/// URL and POST it to a
server. There are probably good reasons for being able to do these
kinds of things in certain situations, but Mozilla would rather just
throw down the gauntlet then try to enforce security around ACL's,
especially using a language like C++ to do this safely and robustly.
Java takes the signed-code approach which makes hard things barely
possible.
Keep in mind, things like 'pop-up blockers' are really just guards
against certain JavaScript features succeeding in certain situations -
not unlike the list of preferences you posted. And when did a pop-up
block first make it into Mozilla - 3 or 4 years ago maybe. I seem to
recall some flavors of Mozilla don't let you obscure the window
controls and other things site designers would rather you do.
Anyway, I would argue your list of preference settings for JavaScript
would be a better set of defaults than what they ship today. The
trouble is they're trying to compete with IE on IE's terms and, well,
users hate security, almost as much as they hate data loss. For
instance, I know many people who have stopped getting security updates
on Windows because they didn't notice the Info bar that says that
microsoftupdate is trying to install an Active-X control. A weak GUI,
sure, but people would just rather let the good guys have control and
assume the bad guys aren't out to get them. So maybe Mozilla's
strategy here is errant.
Which gets to the heart of the matter - a browser like IE was built
with running OLE controls on the local CPU in mind. Firefox was built
with letting things like that happen only in the event of a
catastrophic bug. Guess which one has a zero-day exploit today for the
same thing that was supposedly patched in the past few months?
And then we have the Mozilla/VMWare Browser Appliance, a totally
tangential approach:
http://blog.bfccomputing.com/index.php?p=100
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list