[Sorry about the delay answering, I've been (and wil remain for a while) busy and kind of disconected, so there will likely be more delays.]
On Mon, Apr 07, 2008 at 09:43:08AM -0400, Eric Cooper wrote: > When I click on this feed: http://www.borowitzreport.com/, the first > item is (currently) the following. Liferea pops up a browser window > for the embedded URL in the <iframe> whenever I try to display > headlines -- I'm not even trying to read the body of the item. I've tried without success to reproduce this. Could you send me the settings you have in the "browser" tab, please. Also, I assume you're not using the webkit backend, but please confirm this. > The fact that the link points to a site in Changzhou, China, and the > strange nesting of the end tag -- <</iframe>/iframe> -- makes me think > this feed was hijacked, so liferea's behavior is a security hole. The problem with this characterization is that liferea has no way of knowing whether a feed's content is "unauthorized". I do agree that opening a browser window is wrong, but there's no way we could filter quite a bit of other hijackable behaviour, such as including images in a feed's description, for example. Thus, i kind of question calling this a security issue. -- Rodrigo Gallardo GPG-Fingerprint: 7C81 E60C 442E 8FBC D975 2F49 0199 8318 ADC9 BC28
signature.asc
Description: Digital signature
