[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How does GMail know I use Firebug extension in Iceweasel?

On Wed, Nov 28, 2007 at 09:11:39PM -0800, Kelly Clowers wrote:
> On Nov 28, 2007 7:06 PM, Douglas A. Tutty <dtutty@porchlight.ca> wrote:
> 
> <snip>
> >
> > AIUI, enabling JavaScript enables the remote site to run javascript on
> > your box.  It doesn't do any sort of audit of what it will run.  So I
> > would assume tht it can do whatever javascript is capable of.
> >
> > Can javascript read my .ssh directory and grab my id_rsa or id_dsa?
> 
> Javascript the language can - i.e. you could write a script file in JS
> instead of Perl. However, JS that is run in a web page is sandboxed.
> If it could read your files it would be considered a (very) major security
> flaw in that browser's JS implementation and the news would be all
> over the tech sites.
> 

So how big is the sandbox?  What is the worst that a mal JS could do?
So we don't keep site passwords in the browser's "shall I remember this
for the future" but instead keep it in a separate file in the home
directory.  I would assume then that after visiting a site where I had
to enter a password, I should exit and restart the browser before
visiting another site?

Doug.
Reply to: