[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Possible security problem in KHTML or KMail?
From:       Harri Porten <porten () trolltech ! com>
Date:       2001-10-11 18:49:16
[Download RAW message or body]

On Thu, 11 Oct 2001, Andreas Pour wrote:

> Would it be difficult to add a 'private' property to a frame, which is
> set if any data comes from the local file system, and whenever a
> JavaScript variable is set with data, it is marked as "private" (just
> has to check the flag of that frame)?  If so, then it should be
> relatively straightforward to issue a warning to a user if a "private"
> variable is being used in a URL request.  Of course I don't know the JS
> internals . . . .

A similar protection is already there to stop access to frames from
another domain. I wouldn't be suprised if the security problem brought up
in this thread is non-existant. After all, KJS::originCheck() does check
for equivalance of the URL protocols. Did somebody actually try it out
before the claim was made ?

Harri.

[prev in list] [next in list] [prev in thread] [next in thread]