[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Securing teh Intarwebs (Ultimate Solution ;)



Mike Perry wrote:
> Thus spake Mike Perry (mikepery@xxxxxxxxxx):
> 
>> Also, it appears that we also need to hook
>> document.defaultView.getComputedStyle(link,null).getPropertyValue();
>> somehow (perhaps by hooking getComputedStyle and clearing all
>> properties for its return value if it is an "A" tag like I do with
>> document.getElement*, or possibly by hooking the getPropertyValue
>> method on the returned object) in order to defeat
>> http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
> 
> No, this is stupid. The adversary can just walk the DOM and look for A
> tags. You have to be pro-active and walk the whole DOM first yourself,
> and strip the attributes off of each A tag as you find it.
> 
> Or, perhaps getting the history clearing thing to work is the real
> Ultimate Solution.
Or maybe telling the Firefox developers to enforce a local/remote
separation. The JS running from a remote server should not be able to
determine computed properties of links. Think taint checking, like in Perl.
> You can use fileio in javascript to read
> history.dat (see jshooks.js), but the main issue is file locking on
> windows may prevent you from writing it out again since it appears firefox
> never actually closes the file. It's worth a shot though. Perhaps they
> don't lock the file while they have it open,
From what I remember when using TeX on windows is that file locking
happens automagically.
> and maybe they seek to the
> beginning of it each time they read it out...
> 
> Ok, I promise I won't reply to myself any more. ;)
> 


Attachment: signature.asc
Description: OpenPGP digital signature