[webkit-dev] a simple isolatedworlds alternative for uzbl?
Dieter Plaetinck
dieter at plaetinck.be
Thu Jan 28 00:40:18 PST 2010
On Wed, 27 Jan 2010 23:01:17 -0800
Adam Barth <abarth at webkit.org> wrote:
> Getting this right with the approach you seem to be taking is
> extremely difficult. The problem is not that the local script is
> untrustworthy. The problem is that the web page it's interacting with
> might be able to steal its privileges.
Thank you, but can you describe this a bit more?
Even if we don't pass around the object or attach it to an object such
as document or window, we are still vulnerable? How can the webpage
"steal privileges"?
>
> Isolated worlds should be implemented in webkitgtk+ thanks to some
> contributors from Apple. I bet all that's left to do is add an API
> for accessing the functionality. The PDF is just being honest when it
> says "reasonable assurance." I'd be extremely skeptical of someone
> who claims more than reasonable assurance for a commercial-grade
> system.
>
> Adam
That's good to know. I'm looking forward to it. The "reasonable
assurance" part, does this mean a problem with the design or is this
more about potential issues with the (early) implementations?
More information about the webkit-dev
mailing list