Yavor Doganov
yavor****@gnu*****
2009年 11月 16日 (月) 00:59:16 JST
Mamoru Tasaka wrote: > I already saw the URL, however still I fail to understand the > rationale. See http://lcamtuf.coredump.cx/ffbook/attack.js. I'm not familiar with JavaScript either, but it seems to me that an attacker can gain access to sensible data when the bookmarked page is loaded and the script is executed in the context of the last visited page. It is of medium severity, because it still needs user action for this to happen. > If it is possible to add the uri manually anyway, I don't see the > necessity of the patch. You can always add the bookmark by editing ~/.kazehakase/bookmarks.xml anyway, so I don't think this is a valid argument. At least the Debian Security Team confirmed that this will fix the CVE (I'm not a security expert myself so I'm not prepared to argue). > ... But when bookmarking the uri, the user is seeing the uri once > anyway? Yes. The problem is when (the common case) the user is not familiar with the implications. > Yes, so it means that firefox people are refusing the proposition? No, it means that they agree this is an issue that has to be fixed and even have an approved patch, but it has not been applied (for whatever reasons). > (and the original bug is > https://bugzilla.mozilla.org/show_bug.cgi?id=371179 ) Right, sorry.