@john ... i do not want to keep teh browser unconfined but currently we have a widely gaping security hole that allows everyone to read any cleartext password any third party app stores in the users home. i have no doubt that adding confinement is the right solution, can you implement it for the next OTA (yes this was rhetoric) ... ?
today if a user uses some third party facebook web app that stores his PW in a cleartext cookie that user cant hand his device unlocked to someone else without immediately risking that they can read his PW ... i know intercepting the file protocol isnt a solution, but applying such a band aid until the actual solution is in place to protect our users seems accceptable to me vs having this issue open for another year with actual customers out there being vulnerable ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu. https://bugs.launchpad.net/bugs/1393515 Title: browser allows browsing the phone filesystem Status in Canonical System Image: New Status in webbrowser-app package in Ubuntu: Confirmed Status in webbrowser-app package in Ubuntu RTM: Confirmed Bug description: Using a URL like: file:/// gets you to the root of the phone filesystem ... i assume this is not actually desired since we even block the filemanager app to go higher up then $HOME without requiring a password. The webbrowser-app should either: * behave like the file-manager (see bug #1347010 for details) * file:/// should be disabled altogether on the phone * webbrowser-app should run confined which would force the use of content-hub by limiting file:/// access to those paths allowed by policy To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1393515/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
