From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=2001:41d0:1:7a93::1; helo=nautica.notk.org; envelope-from=asmadeus@notk.org; receiver= Received: from nautica.notk.org (ipv6.notk.org [IPv6:2001:41d0:1:7a93::1]) by hurricane.the-brannons.com (Postfix) with ESMTPS id CB38477893 for ; Mon, 5 Mar 2018 14:31:41 -0800 (PST) Received: by nautica.notk.org (Postfix, from userid 1001) id E89A0C009; Mon, 5 Mar 2018 23:33:01 +0100 (CET) Date: Mon, 5 Mar 2018 23:32:46 +0100 From: Dominique Martinet To: Karl Dahlke Cc: Edbrowse-dev@lists.the-brannons.com Message-ID: <20180305223246.GA20658@nautica> References: <20180205171750.eklhad@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180205171750.eklhad@comcast.net> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [Edbrowse-dev] zip and security X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.25 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 22:31:42 -0000 Karl Dahlke wrote on Mon, Mar 05, 2018: > He writes a web page with javascript that does an xhr request to > zipxd://foo.zip@:@top I think it's a matter of priority, but now we have javascript working a bit better we might soon find time to make it more restricted somehow. I still think allowing any site to do xhr requests anywhere is not something we will want. I started writing a mail about this ages ago (August last year!) and it is actually still open despite me not having written a word there in at least six months, that shows how often this machines reboots, but joke aside I think we now have enough js that old attacks on firefox would work on edbrowse, so we will need to start worrying about it sooner or later... As you said most of these attacks depend on having millions of users, but you can also see it differently and having one user exposed to a million of attacks and it might work. A classical example is just assuming you have a comcast home router at 192.168.1.1 (or whatever the default address is) and with the default user admin/admin, just do a xhr for http://admin:admin@192.168.1.1/page where page could open up firewall or change your password or brick the modem - remember I assumed comcast so I can look up these pages. I'm sure that even with just 15 users one of us might be in that configuration! I don't have any easy solution, I started looking up everything firefox does and there is no end, we probably do not need everything, but there is some food for thought. -- Dominique | Asmadeus