It’s not about Webkit, silly. It’s about evolution.
February 20, 2013 § Leave a Comment
« Webkit is a rust bucket. We can’t move away from it, because our users rely on its bugs as much as on its features, but it’s based on deprecated technologies, concepts that don’t scale anymore, and it just won’t match today’s needs or hardware. If we had any choice, we would dump the whole thing and restart from scratch. »
JavaScript Security Extensions for Firefox
November 2, 2007 § 2 Comments
This entry is a brief presentation of an on-going work in progress by my second group of students in ENSI de Bourges, Benjamin Meslin and Jeremy Colombet.
The problem
As I detailed in a previous entry, Firefox Extensions — just like their counterparts in Internet Explorer, Safari or Air — are essentially unsafe: once an extension is installed, nothing prevents it from reading, writing or removing files on the user’s hard drive or running arbitrary programs or downloading further instructions from a malicious web site. More subtle problems may also arise, as a malicious extension may read or alter the data of Firefox or of another extension during its execution, so as to, say, steal passwords or reroute transparently from a legitimate website to an identical but forged website.
Now, most recent operating systems have a form of Mandatory Access Control layer (sometimes marketed as “sandboxes”), designed to permit refined security checks of what a program should be able to do when used by a given person and in a given role. Unfortunately, in the current state of things, these layers are completely unadapted to universal clients such as web browsers (or virtual machines, by the way), which act as smaller operating systems themselves, without a clear separation of roles or uses.
That doesn’t mean that MAC can’t be made to work for Firefox, of course. Just that it needs work.
