[webkit-dev] a simple isolatedworlds alternative for uzbl?
Dieter Plaetinck
dieter at plaetinck.be
Thu Jan 28 11:57:59 PST 2010
On Thu, 28 Jan 2010 08:01:19 -0800
Adam Barth <abarth at webkit.org> wrote:
> On Thu, Jan 28, 2010 at 12:40 AM, Dieter Plaetinck
> <dieter at plaetinck.be> wrote:
> > On Wed, 27 Jan 2010 23:01:17 -0800
> > Adam Barth <abarth at webkit.org> wrote:
> >
> >> Getting this right with the approach you seem to be taking is
> >> extremely difficult. The problem is not that the local script is
> >> untrustworthy. The problem is that the web page it's interacting
> >> with might be able to steal its privileges.
> >
> > Thank you, but can you describe this a bit more?
> > Even if we don't pass around the object or attach it to an object
> > such as document or window, we are still vulnerable? How can the
> > webpage "steal privileges"?
>
> For example, the attacker could use some of the techniques described
> in this paper:
>
> http://www.adambarth.com/papers/2009/adida-barth-jackson.pdf
Thanks.
very interesting article.
I guess we can only wait for isolatedworlds to appear in the gtk+
port :)
Dieter
More information about the webkit-dev
mailing list