Re: Security evaluation of an example DAP policy

On Nov 19, 2009, at 4:23 PM, Jonas Sicking wrote:

> On Thu, Nov 19, 2009 at 4:07 PM, Marcin Hanclik
> <Marcin.Hanclik@access-company.com> wrote:
>> Hi Adam,
>>
>> I think that
>> <resource-match attr="param:name" func="regexp">/(C|c):\\(.+)\\(.+)/ 
>> <resource-match />
>> should be
>> <resource-match attr="param:name" func="regexp">/(C|c):\\([^\\]+)\\. 
>> +/<resource-match />
>> up to any further bug in the RE.
>> Sorry, my problem.
>>
>> Anyway, the general comment is that the use case is under control  
>> based on the current spec.
>
> For what it's worth, I think any API that opened a dialog asking the
> user "Do you want to give website X access to directory Y in your file
> system" would not be an API we'd be willing to implement in firefox.
> I.e. our security policy would be to always deny such a request (thus
> making implementing the API useless for our users).

Ditto for Safari.

  - Maciej

Received on Friday, 20 November 2009 00:26:50 UTC