On 07/02/2011 05:42 PM, Sam Varshavchik wrote: > JD writes: > >> On 07/02/2011 02:42 PM, Sam Sharpe wrote: >> > On 2 July 2011 22:20, JD<jd1008@xxxxxxxxx> wrote: >> >> On my machine, when I disable javascript, it is unable to display >> my files. >> >> I understand that the browser is supposed to be able to display >> your files >> >> with the file:/// URL. >> >> I just was not expecting my router to issue a javascript to >> >> to access my files. And my concern is that any web site can issue a >> >> javascript to access personal files; and most people are unaware >> of this, >> >> because they are not techies, and do not understand what javascripts >> >> are capable of doing. >> > I don't think you understand. Your browser can access your local >> > files. It is doing so via a file:/// URL. This is not a problem with >> > javascript, this is a feature of your browser. To check this, please >> > type in "file:///" into your browsers address bar manually and you >> > will see that there is no difference in the behaviour. I repeat, this >> > is not a javascript problem and you are getting hysterical over >> > nothing. >> > >> > It is not a security risk because it is showing you the files you have >> > access to on your machine. Javascript has absolutely nothing to do >> > with it apart from sending *you* to the URL. >> > >> When I disabled javascript, the the link in the >> router's page could no longer open >> file:/// > > What you're missing is that a remote server's ability to instruct your > web browser to open the contents of file:/// URL is limited to > precisely that: your web browser opening and displaying the contents > of file:///. The remote server's javascript has no means of accessing > the contents of file:///. Once your web browser opens file:///, the > previous page from the remote server is closed, together with all the > javascript that was in it. > > If file:/// gets opened in a separte window or a tab, as can be done, > the javascript running from another window or tab still has no means > of accessing the contents of another scope, as well. Javascript can > only access resources that originate from the same scope. > > This is a well-understood security model. There have been isolated > instances in the past, where flaws were discovered in some individual > browser's security model that allowed some mechanism for running > Javascript to access content from another scope; occasionally a common > flaw was found that was shared by several browsers. > > Barring your wonderrouter leveraging some hereto unknown security > exploit, all that your wonderrouter is doing is the equivalent of the > HTML that reads > > <a href="file:///">Y0U h4ve b33n p0wned</a> > > …yawn… > You missed the import of what I was saying... that a javascript pushed by a website, forced on my browser to execute on my machine is in and of itself a violation of privacy and security. Furthermore, it would be incredibly shortsighted (stating it mildly) to write off such practice as safe by any measure. I sent a reply to Ed. Read that one. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
