Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Josselin Mouette
joss at debian.org
Mon Nov 16 08:53:36 UTC 2009
Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit :
> On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote:
> > What’s a bookmarklet? I don’t even know whether epiphany supports this.
>
> It's javascript code you bookmark and can run on any site. A bit like
> greasemonkey, but crossbrowser. It's designed to run in the current
> page context, so the security issue here is by design.
Confirmation before saving the bookmarklet to the list of bookmarks? If
so, I’d say epiphany is not affected, since it always ask for
confirmation whenever you bookmark something.
> To alleviate the
> broken-by-design part, the CVE says the browser should ask for
> confirmation, like everybody reads alerts and make informed decisions.
> Haha.
Another case of “security by unusability” I guess. After the huge sucess
of Vista and Firefox 3…
Cheers,
--
.''`. Josselin Mouette
: :' :
`. `' “I recommend you to learn English in hope that you in
`- future understand things” -- Jörg Schilling
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20091116/e00e5ddd/attachment.pgp>
More information about the pkg-gnome-maintainers
mailing list