- From: Jim Ley <jim.ley@gmail.com>
- Date: Sun, 25 Jul 2004 19:48:26 +0100
On Sat, 24 Jul 2004 14:05:03 -0200, Doron Rosenberg <doronr at gmail.com> wrote: > Back at Netscape, when we were working on Mozilla's web services > support, we introduced a security model where a web services hosting > domain can allow cross domain calls to it, controlled via an XML file > (read more at http://lxr.mozilla.org/mozilla/source/extensions/webservices/docs/New_Security_Model.html). Aswell as Malcolm's concerns with practicality of this, I have pretty significant concerns about the security of it - as it takes the security completely out of the hands of the user. If my bank makes a mistake and provides its web-service available to random domains there's nothing I can do to, to either be aware of it, or presumably disable it on an individual basis. I'm really quite alarmed by this approach in fact, How do I disable it (or if not it all SOAP) in My FireFox please, I can't seem to see the menu option. Also can you please put a great big security warning on the "What's new" that clarifies and explains exactly what these new "security models" are - as most people have the expectation that UA's are consistent and don't suddenly give their browsers new security dangerous abilities they don't tell anyone about! Jim.
Received on Sunday, 25 July 2004 11:48:26 UTC