[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kopete-devel
Subject:    Re: [kopete-devel] [PATCH] Incoming file transfer in chat window
From:       Martijn Klingens <klingens () kde ! org>
Date:       2008-08-20 14:50:05
Message-ID: 200808201650.05535.klingens () kde ! org
[Download RAW message or body]

On Sunday 17 August 2008 17:12:41 Matt Rogers wrote:
> On Aug 16, 2008, at 8:23 PM, Olivier Goffart wrote:
> > - PLEASE DO NOT ENABLE JAVASCRIPT BY DEFAULT!  No security whole in
> > kopete
> > please :-)      enable it on demand just when we need it.  but
> > javascript
> > injection stuff should not be possible.
>
> Why not? Enabling javascript on its own does not expose us to security
> holes, and provides a boat laod of features. You even mention about
> that Javascript injection should not be possible. Now, it could be
> part of a malicious style that the user downloads, but there's not a
> lot we can do about that.

It does mean that the barrier to exit the sandbox is lowered substantially, 
though.

Firefox has seen its flux of exploits that were often based on breaking out of 
the "web" sandbox into the Chrome one that has a lot more rights. There is a 
reason why every security professional in the world will recommend you to use 
the NoScript plugin to keep Javascript off for all but the most trusted 
websites.

Back to Kopete, depending on the protocol, incoming messages are added to the 
raw HTML, making the risk that at least one protocol inadvertedly allows 
injection of scripts quite real.

That said, Javascript provides a load of features indeed. If there is some way 
to ensure that no incoming message can *ever* enter the system with means to 
inject Javascript (or embed iframes with Java, or whatever), then turning it 
on might actually make sense.

-- 
Martijn
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]