Re: [Edbrowse-dev] zip and security

[Dominique Martinet <asmadeus@codewreck.org>]

Karl Dahlke wrote on Mon, Mar 05, 2018:
> He writes a web page with javascript that does an xhr request to
> zipxd://foo.zip@:@top

I think it's a matter of priority, but now we have javascript working a
bit better we might soon find time to make it more restricted somehow.

I still think allowing any site to do xhr requests anywhere is not
something we will want.
I started writing a mail about this ages ago (August last year!) and it
is actually still open despite me not having written a word there in at
least six months, that shows how often this machines reboots, but joke
aside I think we now have enough js that old attacks on firefox would
work on edbrowse, so we will need to start worrying about it sooner or
later...

As you said most of these attacks depend on having millions of users,
but you can also see it differently and having one user exposed to a
million of attacks and it might work.
A classical example is just assuming you have a comcast home router at
192.168.1.1 (or whatever the default address is) and with the default
user admin/admin, just do a xhr for http://admin:admin@192.168.1.1/page
where page could open up firewall or change your password or brick the
modem - remember I assumed comcast so I can look up these pages.

I'm sure that even with just 15 users one of us might be in that
configuration!


I don't have any easy solution, I started looking up everything firefox
does and there is no end, we probably do not need everything, but there
is some food for thought.
-- 
Dominique | Asmadeus