Security for launching from URL
Noah Kantrowitz
noah at coderanger.net
Mon Jul 7 16:59:04 EDT 2008
On Jul 7, 2008, at 12:52 PM, Eben Eliason wrote:
> On Fri, Jul 4, 2008 at 6:42 PM, Ivan Krstić
> <krstic at solarsail.hcs.harvard.edu> wrote:
>> That said, the URI handler approach should be used sparingly. It's
>> one
>> thing to allow starting an audio player by clicking an MP3 link in
>> the
>> browser, and another to arbitrarily execute code (e.g. through an
>> execution environment such as Pippy or eToys) from a web page with a
>> single click. While Bitfrost is designed to mitigate the side effects
>> of arbitrary code execution, it's very unwise to make it trivial for
>> the user to trigger such execution unknowingly.
>
> I really don't see anything wrong with injecting a modal alert,
> displayed by Sugar, into this process if we must. Clicking on an mp3
> in Browse would reveal this alert, and ask for confirmation that the
> user wishes to open it. It would, of course, offer a list of
> activities which support its mime-type (assuming there are more than
> one). It could potentially include a way to set the default handler
> as well, such that the next time it is revealed for the same mime-type
> a different default is chosen. I recognize that we try at all costs
> to eliminate this form of dialog, but I also recognize that we might
> not want to allow an activity to arbitrarily launch other activities
> without the user's consent.
Repetitive modal dialogs are useless bordering on harmful when was the
last time you read an IE dialog carefully.
--Noah
More information about the Devel
mailing list