edbrowse-dev - development list for edbrowse
 help / color / mirror / Atom feed
From: Dominique Martinet <asmadeus@codewreck.org>
To: Karl Dahlke <eklhad@comcast.net>
Cc: Edbrowse-dev@lists.the-brannons.com
Subject: Re: [Edbrowse-dev] zip and security
Date: Mon, 5 Mar 2018 23:32:46 +0100	[thread overview]
Message-ID: <20180305223246.GA20658@nautica> (raw)
In-Reply-To: <20180205171750.eklhad@comcast.net>

Karl Dahlke wrote on Mon, Mar 05, 2018:
> He writes a web page with javascript that does an xhr request to
> zipxd://foo.zip@:@top

I think it's a matter of priority, but now we have javascript working a
bit better we might soon find time to make it more restricted somehow.

I still think allowing any site to do xhr requests anywhere is not
something we will want.
I started writing a mail about this ages ago (August last year!) and it
is actually still open despite me not having written a word there in at
least six months, that shows how often this machines reboots, but joke
aside I think we now have enough js that old attacks on firefox would
work on edbrowse, so we will need to start worrying about it sooner or

As you said most of these attacks depend on having millions of users,
but you can also see it differently and having one user exposed to a
million of attacks and it might work.
A classical example is just assuming you have a comcast home router at (or whatever the default address is) and with the default
user admin/admin, just do a xhr for http://admin:admin@
where page could open up firewall or change your password or brick the
modem - remember I assumed comcast so I can look up these pages.

I'm sure that even with just 15 users one of us might be in that

I don't have any easy solution, I started looking up everything firefox
does and there is no end, we probably do not need everything, but there
is some food for thought.
Dominique | Asmadeus

  reply	other threads:[~2018-03-05 22:31 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-05 22:17 Karl Dahlke
2018-03-05 22:32 ` Dominique Martinet [this message]
2018-03-05 23:35   ` Kevin Carhart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180305223246.GA20658@nautica \
    --to=asmadeus@codewreck.org \
    --cc=Edbrowse-dev@lists.the-brannons.com \
    --cc=eklhad@comcast.net \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).