From kopete-devel Wed Aug 20 14:50:05 2008 From: Martijn Klingens Date: Wed, 20 Aug 2008 14:50:05 +0000 To: kopete-devel Subject: Re: [kopete-devel] [PATCH] Incoming file transfer in chat window Message-Id: <200808201650.05535.klingens () kde ! org> X-MARC-Message: https://marc.info/?l=kopete-devel&m=121924385023709 On Sunday 17 August 2008 17:12:41 Matt Rogers wrote: > On Aug 16, 2008, at 8:23 PM, Olivier Goffart wrote: > > - PLEASE DO NOT ENABLE JAVASCRIPT BY DEFAULT! No security whole in > > kopete > > please :-) enable it on demand just when we need it. but > > javascript > > injection stuff should not be possible. > > Why not? Enabling javascript on its own does not expose us to security > holes, and provides a boat laod of features. You even mention about > that Javascript injection should not be possible. Now, it could be > part of a malicious style that the user downloads, but there's not a > lot we can do about that. It does mean that the barrier to exit the sandbox is lowered substantially, though. Firefox has seen its flux of exploits that were often based on breaking out of the "web" sandbox into the Chrome one that has a lot more rights. There is a reason why every security professional in the world will recommend you to use the NoScript plugin to keep Javascript off for all but the most trusted websites. Back to Kopete, depending on the protocol, incoming messages are added to the raw HTML, making the risk that at least one protocol inadvertedly allows injection of scripts quite real. That said, Javascript provides a load of features indeed. If there is some way to ensure that no incoming message can *ever* enter the system with means to inject Javascript (or embed iframes with Java, or whatever), then turning it on might actually make sense. -- Martijn _______________________________________________ kopete-devel mailing list kopete-devel@kde.org https://mail.kde.org/mailman/listinfo/kopete-devel