headers
MarineW | 2 Nov 2007 08:30
Picon
Favicon

Use signed scripts in JSP pages


Hello,

I have to use JavaScripts that require special privileges from Firefox. So I
need to sign theses scripts in JAR files, with NSS tool.
But I have a problem as these scripts are then used from JSP pages.

It is written here
(http://www.mozilla.org/projects/security/components/signed-scripts.html#signing),
the following :

"The major difference in signing scripts between 4.x and Mozilla is that in
Mozilla, the entire page must be signed, as opposed to only the script
running on the page. For any script to be granted expanded privileges, all
scripts on or included by an HTML page must be signed."

If I understand this correctly, I have to include HTML pages that call
Javascript functions into the signed JAR.
But as I don't use HTML, but JSP pages, how can I proceed ?

Thanks for any help.

PS : Today, when calling a JavaScript function located in a jar, from a JSP,
I have the following error :
Erreur : [Exception... "'Permission refusée d'obtenir la propriété
UnnamedClass.classes' when calling method:
[nsIDOMEventListener::handleEvent]" nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]

PS2 : Or maybe is there another way to do what I have to...
(Continue reading)

Permalink | Reply | 0 comments |
headers
dolphinling | 4 Nov 2007 21:53

How to get back deleted default root certificates?

A while ago I deleted a few of the default root certificates, and I'd like to 
get them back. I remember hearing at some point that the default certificates 
aren't actually deleted when you delete them, just marked as invalid. Is that 
true, and if so, can I undelete them? If not, can I import them from somewhere 
convenient like another firefox profile, or do I need to find them online?
--

-- 
dolphinling
<http://dolphinling.net/>
Permalink | Reply | 0 comments |
headers
robbie.bern | 17 Nov 2007 13:36
Picon

Installation of Firefox Prompts for Home/Shared/Public Levels

Here is a feature that I have been wanting for a while and in my
novice searches, I have been unable to find any mention of this so
far.

Basically, during installation, it would be great if Firefox prompted
to know if it was being installed on a home machine, one that was
shared (like in an office or home where guests use the computer
frequently), or one that is public (like at a university library).
The installation would then customize/enable/disable a few of
Firefox's features as it relates to storing data.

For example:

Home > Turns on remembering passwords, history, auto-population of
text fields... etc.

Shared > Disables remembering passwords and auto-population of text
fields but keeps less sensitive information like browser history and
cookies.  (Things that would be acceptable if co-worker or family
member saw.)

Public > Disables all remembering of passwords, auto-pop, and
automatically clears private data (history, cache, cookies, etc) every
time the browser is closed.

I know that all of these features can be individually turned on / off,
but I know from experience how long it takes me to go through and
"customize" these particularly important features of Firefox to fit
the level of security needed.  Plus, as Firefox becomes more
mainstream, we can all be assured that fewer and fewer users will take
(Continue reading)

Permalink | Reply | 0 comments |
headers
scott | 18 Nov 2007 21:24

www33.not-found-entry.org

It seems this www33.not-found-entry.org is originating from InsightBB.
Insight is an abhorrent organization so none of this surprises me one
bit.

Most people don't know that Insight used to be a publicly traded
company but went private a couple years ago so they now answer to no
shareholders. Their privatization was funded almost entirely by The
Carlyle Group who has been in bed with the Bush and Bin Laden
families, also owns the world's largest military equipment
manufacturer, and is now partially owned by the government of Abu
Dhabi, the capital of the United Arab Emirates.

Considering how the current administration enjoys monitoring
everyone's personal communications, I can't imagine a worse company to
be in charge of processing your internet, banking, and television
viewing habits.

This is just one of dozens of articles on the topic and how
Louisville's metro government has allowed Insight to run free with
whatever they want to push over on local consumers:
http://www.newsnshit.com/2006/09/we-want-airwaves-back.html

This is my site, I'm running for state senate in 2008. I would love to
be able to do something about this an similar abuses.
http://www.ballotrevolution.org
Permalink | Reply | 0 comments |
headers
Daniel Benamy | 20 Nov 2007 08:34
Picon
Gravatar

Security enhancement: Tabs as seperate processes?

Hi all,
At a security lecture, I got to thinking about how browsers are
becoming more like OSes in that they're running more and more of our
apps. Arguably the primary goal of an OS is to allow us to run
multiple programs without them messing each other up. An important
mechanism to enable this is separate address spaces for each process.
But our apps in different tabs all run in the same address space (as
far as I know) so if one app exploits a vulnerability or triggers a
bug in the js interpreter or an image parser or something they may
have access to something important like our banking information which
is being displayed in another tab. So I was curious about how
difficult it would be to modify the browser so that there's a main
process which does network stuff and ui stuff and manages the cache
and most of the general web browser functionality, but it doesn't try
to understand anything sent down by a web server. Instead it passes
that data to a separate process which is responsible for actually
rendering the content of the page and passes the finished static
product back. So the understanding/rendering process would have the
isolation provided by the OS and any problems couldn't spill over to
other tabs. Additionally, the understanding and rendering process
could be highly sandboxed using selinux or apparmor or whatever other
security tools people like. Since it's output would be through such a
restricted channel and in such a (hopefully) safe way, I'd think it
could be set up so that even if it's exploited to allow arbitrary code
execution, the attacker couldn't harm any local resources like the
filesystem.
If something like this is possible, I might try to do it as a research
project at school. Does anyone know if it is or how difficult it would
be?
Thanks a lot,
(Continue reading)

Permalink | Reply | 0 comments |
headers
dolphinling | 22 Nov 2007 08:56

Re: Security enhancement: Tabs as seperate processes?

Daniel Benamy wrote:
> [...] So I was curious about how
> difficult it would be to modify the browser so that there's a main
> process which does network stuff and ui stuff and manages the cache
> and most of the general web browser functionality, but it doesn't try
> to understand anything sent down by a web server. Instead it passes
> that data to a separate process which is responsible for actually
> rendering the content of the page and passes the finished static
> product back. So the understanding/rendering process would have the
> isolation provided by the OS and any problems couldn't spill over to
> other tabs.
> If something like this is possible, I might try to do it as a research
> project at school. Does anyone know if it is or how difficult it would
> be?
> Thanks a lot,
> Dan

I'm really *really* unqualified to answer this, I'm only responding since no one 
else has (and it being thanksgiving in the US, you might not get a response for 
a few more days) -- so believe anything else you read more than this.

One problem that you'll likely have to deal with is that separate tabs/windows 
*can* interact with each other through script, given that they pass the 
appropriate checks on their origin. I don't know what those checks are, but I do 
know that if a script opens a new window, it can write things to that window.

Also, I believe that this topic has come up before, or if not in separate 
processes I'm certain it has for separate threads. I have no idea what the 
outcome of those discussions was, though. You might try searching relevant 
newsgroups (this one, perhaps m.d.a.firefox, perhaps others) bugzilla, or
(Continue reading)

Permalink | Reply | 0 comments |
headers
Benjamin Smedberg | 26 Nov 2007 15:30
Picon

Re: Security enhancement: Tabs as seperate processes?

Daniel Benamy wrote:

> multiple programs without them messing each other up. An important
> mechanism to enable this is separate address spaces for each process.
> But our apps in different tabs all run in the same address space (as
> far as I know) so if one app exploits a vulnerability or triggers a
> bug in the js interpreter or an image parser or something they may
> have access to something important like our banking information which
> is being displayed in another tab. So I was curious about how
> difficult it would be to modify the browser so that there's a main
> process which does network stuff and ui stuff and manages the cache
> and most of the general web browser functionality, but it doesn't try
> to understand anything sent down by a web server. Instead it passes
> that data to a separate process which is responsible for actually
> rendering the content of the page and passes the finished static
> product back. So the understanding/rendering process would have the
> isolation provided by the OS and any problems couldn't spill over to
> other tabs. Additionally, the understanding and rendering process
> could be highly sandboxed using selinux or apparmor or whatever other
> security tools people like. Since it's output would be through such a
> restricted channel and in such a (hopefully) safe way, I'd think it
> could be set up so that even if it's exploited to allow arbitrary code
> execution, the attacker couldn't harm any local resources like the
> filesystem.

Yes, we have considered this... it is in fact very hard to do correctly. The
major problem is that windows may communicate with eachother via JavaScript.
One window can obtain a reference to another window via window.open(). And
website JavaScript has a run-to-completion semantic which means that it
doesn't expect other JS to modify its state while a script is running; this
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dietrich Ayala | 26 Nov 2007 20:29
Gravatar

Places Security Review

The Places security review is scheduled for 12:00 PM Pacific on Tuesday, November 27:

The overview of this feature is written up at:

http://wiki.mozilla.org/Places:SecurityReview

Dial-in Info:

* 650-903-0800 or 650-215-1282 x91 conf# 270 (US/Intl)
* 1-800-707-2533 (pin 369) conf# 270 (US)
* irc.mozilla.org #granparadiso for backchannel

For those onsite at MoCo, this is happening in Building S, probably in the same room as the Firefox 
meeting.

Thanks,

Dietrich
Permalink | Reply | 0 comments |
headers
Dave Townsend | 28 Nov 2007 01:33
Gravatar

Add-ons Manager Security Review

The add-ons manager security review is scheduled for 12:00 PM Pacific on
Wednesday, November 28:

The overview of this feature is written up at:

http://wiki.mozilla.org/User:Mossop/Addons_Security_Review

Dial-in Info:

* 650-903-0800 or 650-215-1282 x91 conf# 257 (US/Intl)
* 1-800-707-2533 (pin 369) conf# 257 (US)
* irc.mozilla.org #granparadiso for backchannel

For those onsite at MoCo, this is happening in Building S, probably in
the same room as the Gecko 1.9 meeting.

Thanks,

Dave
Permalink | Reply | 0 comments |

Gmane