Re: Using from David Woolley on 2003-12-04 (www-html@w3.org from December 2003)

From: David Woolley <david@djwhome.demon.co.uk>
Date: Thu, 4 Dec 2003 21:32:47 +0000 (GMT)
To: www-html@w3.org
Message-Id: <200312042132.hB4LWlO01291@djwhome.demon.co.uk>

> If the following:
> 
> document.formPrincipal.PHOTO1.disabled=true;

This is off topic: "how to" question, and document object model issue.

What you seem to be trying to do is to create a "rogue server can read
any file readable to the browser user" security breach.  If you succeed
and publish, you should expect the loophole to be closed in the next
hot fix for the browser.

Providing tainting checks to permit this is well beyond the current state
of AI; it requires analysing the users view of what is on the screen.
Even the current, relatively objective, security checks get done wrong.

Received on Thursday, 4 December 2003 17:26:23 UTC