[webkit-dev] Security advice for linux browsers based on WebKit

Gustavo Noronha Silva gns at gnome.org
Mon Aug 24 06:11:19 PDT 2009


On Sun, 2009-08-23 at 21:30 -0700, Adam Barth wrote:
> > I think, though, that the AFS/NFS issue you mention is more general and
> > shouldn't be a motivating factor. We have many GNU/Linux users not in
> > corporate networks, these days, as well, and I think we should not be
> > designing everything for big installations (those usually have admins
> > who can worry about this kind of issue).
> >
> > Also, it looks like you can access windows shares using
> > file://server/folder/file.html, so this doesn't seem to be UNIX-specific
> > in any way. I also bet Mac can be made to use NFS, and AFS, so, again, I
> > fail to see this as particularly important on non-Mac UNIX-likes.
> 
> I'm not sure I quite followed your line of reasoning here.  Are you
> suggesting that everyone should use the more secure setting or are you
> saying that you don't think this is an important security measure in
> non-enterprise settings?

I am saying that we should be careful not to design things with 'Linux
is mostly used in enterprise settings' in mind. There is no reason to
treat it differently than the other desktops; I myself have never used
NFS or AFS, nor have many people I know, even though I've been using
GNU/Linux for ~10 years now. And, as I pointed out, the same potential
problem with networked file systems may happen with Windows or Mac.

> I agree that everyone should disable universal access for file URLs.
> In fact, I think we should make it the default because the current
> default is pretty dangerous.

So, to clear up my position regarding the actual meat of the proposal: I
agree this is an important security concern. Doing that in libraries
right now will break API expectations, though, so I think if it is done,
this should be done first by documenting the intent to change, and then
changing after a reasonable amount of time. Of course browser
applications can do it right now, though =)

See you,

-- 
Gustavo Noronha Silva <gns at gnome.org>
GNOME



More information about the webkit-dev mailing list