Security for launching from URL

Noah Kantrowitz noah at coderanger.net
Mon Jul 7 16:59:04 EDT 2008


On Jul 7, 2008, at 12:52 PM, Eben Eliason wrote:

> On Fri, Jul 4, 2008 at 6:42 PM, Ivan Krstić
> <krstic at solarsail.hcs.harvard.edu> wrote:
>> That said, the URI handler approach should be used sparingly. It's  
>> one
>> thing to allow starting an audio player by clicking an MP3 link in  
>> the
>> browser, and another to arbitrarily execute code (e.g. through an
>> execution environment such as Pippy or eToys) from a web page with a
>> single click. While Bitfrost is designed to mitigate the side effects
>> of arbitrary code execution, it's very unwise to make it trivial for
>> the user to trigger such execution unknowingly.
>
> I really don't see anything wrong with injecting a modal alert,
> displayed by Sugar, into this process if we must.  Clicking on an mp3
> in Browse would reveal this alert, and ask for confirmation that the
> user wishes to open it.  It would, of course, offer a list of
> activities which support its mime-type (assuming there are more than
> one).  It could potentially include a way to set the default handler
> as well, such that the next time it is revealed for the same mime-type
> a different default is chosen.  I recognize that we try at all costs
> to eliminate this form of dialog, but I also recognize that we might
> not want to allow an activity to arbitrarily launch other activities
> without the user's consent.

Repetitive modal dialogs are useless bordering on harmful when was the  
last time you read an IE dialog carefully.

--Noah


More information about the Devel mailing list