[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selenium-devel
Subject:    [Selenium-devel] Eliminating the Funnel with firefox/mozilla
From:       paul cannon <paul-selenium () nafpik ! com>
Date:       2005-09-02 19:09:09
Message-ID: 20050902190909.GD23284 () nafpik ! com
[Download RAW message or body]

Good day-

Some time ago I mailed this list about the AntiXSS solution we came up
with Novell to get around some of the problems we were having with the
nph-proxy funnel for driven mode.

Recently I've been using a solution which is far, far simpler and which
seems to address all the problems on both sides.  It is essentially to
disable the cross-site scripting checks for HTML and Javascript coming
from the local filesystem (the file:// protocol).

We use Mozilla's Configurable Security Policies [1] along with some
related user preferences to formulate a user.js that can be put in a
dedicated user profile, and which disables the CSS checks as described.
The user.js we have so far is attached.

When a Firefox session is run in that profile, SeleneseRunner.html or
similar can be loaded directly using file:// and can do pretty much
anything it wants with pages from other sources.

If anyone else finds this useful and/or has anything to add or fix,
great.  Send it our way!  Hopefully something like this can also go into
Selenium upstream if it seems useful for others.

This appears to be similar in effect to using an .hta suffix with
Internet Explorer.

The obvious disadvantage to this approach is that security is lessened
when using that Firefox profile; if it were used to browse a malicious
site, and that site knew where to find some certain javascript files on
your filesystem, and it were allowed to load the javascript files from
your filesystem (is it?) I guess there's a possibility that site could
take advantage of the security loophole to do nefarious things.

[1] http://www.mozilla.org/projects/security/components/ConfigPolicy.html

-- 
paul

["user.js" (application/x-javascript)]

_______________________________________________
Selenium-devel mailing list
Selenium-devel@lists.public.thoughtworks.org
http://lists.public.thoughtworks.org/mailman/listinfo/selenium-devel


[prev in list] [next in list] [prev in thread] [next in thread]