Seamless Lessons & Security (commentary)
krstic at solarsail.hcs.harvard.edu
Mon Jul 7 14:59:00 EDT 2008
On Jul 7, 2008, at 10:29 AM, Martin Dengler wrote:
> No response?
Your message _appears_ to suppose that the security model was defined
for the hell of it, or because someone wanted to engage in an
interesting academic experiment, and thus breaking the security model
when it's convenient is somehow okay. That's not a discussion I'm
particularly interested in, but Michael will probably be more helpful.
> ...seems false. I just tried an IE 7.0 install I have, and it does
> in fact
> support "launch-by-click" for executables yields:
That's precisely the seam that Michael and I wrote about in his
previous message to the thread. The opposition he and I have is
towards allowing single-click actions to cross security barriers
without the system _ensuring_ that the user is informed of the crossing.
In other words, to support Browse launching Pippy when a .py file is
clicked, Rainbow would have to confer upon Browse the privilege of
launching other activities (which may, and in the case of execution
environments such as Pippy and eToys, regularly will) have higher
privileges than Browse itself, have such launched activities operate
on arbitrary input provided by Browse, and not require user approval
anywhere in the process.
This is stupid.
The way to do it is to throw up a (system-, not Browse- rendered!)
warning dialog indicating that a security boundary is about to be
crossed, and allowing the user to stop the action -- unless this
particular boundary traversal was specifically approved ahead of time.
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the Devel