On Wed, Nov 28, 2007 at 09:11:39PM -0800, Kelly Clowers wrote: > On Nov 28, 2007 7:06 PM, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > > <snip> > > > > AIUI, enabling JavaScript enables the remote site to run javascript on > > your box. It doesn't do any sort of audit of what it will run. So I > > would assume tht it can do whatever javascript is capable of. > > > > Can javascript read my .ssh directory and grab my id_rsa or id_dsa? > > Javascript the language can - i.e. you could write a script file in JS > instead of Perl. However, JS that is run in a web page is sandboxed. > If it could read your files it would be considered a (very) major security > flaw in that browser's JS implementation and the news would be all > over the tech sites. >
So how big is the sandbox? What is the worst that a mal JS could do? So we don't keep site passwords in the browser's "shall I remember this for the future" but instead keep it in a separate file in the home directory. I would assume then that after visiting a site where I had to enter a password, I should exit and restart the browser before visiting another site? Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
