Re: Security evaluation of an example DAP policy

On Thu, Nov 19, 2009 at 4:07 PM, Marcin Hanclik
<Marcin.Hanclik@access-company.com> wrote:
> Hi Adam,
>
> I think that
> <resource-match attr="param:name" func="regexp">/(C|c):\\(.+)\\(.+)/<resource-match />
> should be
> <resource-match attr="param:name" func="regexp">/(C|c):\\([^\\]+)\\.+/<resource-match />
> up to any further bug in the RE.
> Sorry, my problem.
>
> Anyway, the general comment is that the use case is under control based on the current spec.

For what it's worth, I think any API that opened a dialog asking the
user "Do you want to give website X access to directory Y in your file
system" would not be an API we'd be willing to implement in firefox.
I.e. our security policy would be to always deny such a request (thus
making implementing the API useless for our users).

/ Jonas

Received on Friday, 20 November 2009 00:24:49 UTC