Re: How does GMail know I use Firebug extension in Iceweasel?
On Wed, Nov 28, 2007 at 09:11:39PM -0800, Kelly Clowers wrote:
> On Nov 28, 2007 7:06 PM, Douglas A. Tutty <dtutty@porchlight.ca> wrote:
>
> <snip>
> >
> > AIUI, enabling JavaScript enables the remote site to run javascript on
> > your box. It doesn't do any sort of audit of what it will run. So I
> > would assume tht it can do whatever javascript is capable of.
> >
> > Can javascript read my .ssh directory and grab my id_rsa or id_dsa?
>
> Javascript the language can - i.e. you could write a script file in JS
> instead of Perl. However, JS that is run in a web page is sandboxed.
> If it could read your files it would be considered a (very) major security
> flaw in that browser's JS implementation and the news would be all
> over the tech sites.
>
So how big is the sandbox? What is the worst that a mal JS could do?
So we don't keep site passwords in the browser's "shall I remember this
for the future" but instead keep it in a separate file in the home
directory. I would assume then that after visiting a site where I had
to enter a password, I should exit and restart the browser before
visiting another site?
Doug.
Reply to: