Firefox/Projects/Binding for untrusted text in security dialogs: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with '== Summary == Design and implement a common way for security dialogs to include untrusted text without compromising the rest of the dialog. The implementation might take the fo…')
 
 
Line 13: Line 13:
== Team ==
== Team ==


*'''Project Lead''': johnath?
*'''Project Lead''': Blair (Unfocused)
*'''Alternate Contact''': Johnath
*'''Initiator''': jesse
*'''Initiator''': jesse



Latest revision as of 19:31, 26 October 2009

Summary

Design and implement a common way for security dialogs to include untrusted text without compromising the rest of the dialog. The implementation might take the form of an XBL binding.

Current Status

A private page describes some of the attacks we would like to defend against, and contains a partial list of security dialogs in Firefox. It is clear that given the number of attacks and number of dialogs, ad-hoc checks are doomed to failure.

Next Steps

Related Bugs

Team

  • Project Lead: Blair (Unfocused)
  • Alternate Contact: Johnath
  • Initiator: jesse

Designs

Goals/Use Cases

  • Defend against attacks where site-supplied text breaks other parts of security dialogs.

Non Goals

  • Defend against sites supplying sentences (except perhaps by setting site-supplied text apart visually).
  • Defend against "badgering" attacks.
  • Save the world from scareware