Re: How does GMail know I use Firebug extension in Iceweasel?
- To: debian-user@lists.debian.org
- Subject: Re: How does GMail know I use Firebug extension in Iceweasel?
- From: Scott Gifford <sgifford@suspectclass.com>
- Date: Mon, 03 Dec 2007 16:41:32 -0500
- Message-id: <[🔎] lyzlwrtq0j.fsf@gfn.org>
- In-reply-to: <20071129144129.GA6334@titan.hooton> (Douglas A. Tutty's message of "Thu, 29 Nov 2007 09:41:29 -0500")
- References: <474E0527.8020206@gmail.com> <474E0850.8040709@cox.net> <474E153F.7020200@gmail.com> <20071129030642.GD7964@titan.hooton> <1840f6970711282111y36612278g11a3cc2c181079f2@mail.gmail.com> <20071129144129.GA6334@titan.hooton>
"Douglas A. Tutty" <dtutty@porchlight.ca> writes:
[...]
> So how big is the sandbox? What is the worst that a mal JS could do?
I don't know the exact details, but in general JavaScript is limited
to accessing its own browser window, the window that created it, any
windows it creates, and a few small bits of global state. It should
not be able to access anything security sensitive unless it is in one
of those windows. So by design, JS is pretty secure.
However, most of the security problems you see with JS have to do with
implementation bugs. This area seems to be more prone to security
bugs than other parts of the Web browser. As with implementation bugs
in any application, anything may be possible, depending on the nature
of the bug.
So, you will have to weigh for yourself the advantages of JS versus
the risk of implementation bugs, just as you weigh the advantages of
using other applications or application features versus the risk of
implementation bugs.
Searching Bugtraq or the database at cve.mitre.org can be useful in
seeing how prone applications are to implementation errors.
Good luck,
----Scott.
Reply to: