[4685] in WWW Security List Archive
Re: IE3 .lnk & .url bug
daemon@ATHENA.MIT.EDU (Stephen Anderson)
Thu Mar 6 06:51:36 1997
To: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Tue, 04 Mar 1997 13:14:20 EST."
<199703041814.NAA63392@mailhub1.watson.ibm.com>
Date: Thu, 06 Mar 1997 09:42:50 +0000
From: Stephen Anderson <stephen@planet.net.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
> The trouble is, Interner Explorer treats LNK and URL files
> loaded off the Net just as it does local ones; therefore
[...]
>
> In general, maintaining security as the desktop and the
> network sort of squoosh together and their boundaries
> dissolve, is going to be a challenge. It's starting a
> little earlier than I expected! *8)
I think the general problem here is that all browsers are by default far
too trusting of the information they receive from the 'net. Plus of
course, they're not built upon the framework of a consistent security
engine; security was something they added later. My favourite case of
this is that, in at least some versions of Netscape, you could violate
the Java sandbox by using Java to call Javascript, which was not
similarly restricted B->.
Possibly all the browsers need to be recoded with an implicit "tainted
unless I say so" flag set on all data garnered off the 'net.
--
Stephen Anderson Stephen.Anderson@planet.net.uk
Planet Online : The White House | Tel : +44 (0) 113 2345566
Melbourne Street, Leeds LS2 7PS UK. | Fax : +44 (0) 113 2345656
"Watashi ni yo ga nakunattara sumiyakani hakaba e mairimasu."
--
Stephen Anderson Stephen.Anderson@planet.net.uk
Planet Online : The White House | Tel : +44 (0) 113 2345566
Melbourne Street, Leeds LS2 7PS UK. | Fax : +44 (0) 113 2345656
"Watashi ni yo ga nakunattara sumiyakani hakaba e mairimasu."
