On 07/02/2011 05:42 PM, Sam Varshavchik wrote:
JD writes:
> On 07/02/2011 02:42 PM, Sam Sharpe wrote:
> > On 2 July 2011 22:20, JD<jd1008(a)gmail.com> wrote:
> >> On my machine, when I disable javascript, it is unable to display
> my files.
> >> I understand that the browser is supposed to be able to display
> your files
> >> with the file:/// URL.
> >> I just was not expecting my router to issue a javascript to
> >> to access my files. And my concern is that any web site can issue a
> >> javascript to access personal files; and most people are unaware
> of this,
> >> because they are not techies, and do not understand what javascripts
> >> are capable of doing.
> > I don't think you understand. Your browser can access your local
> > files. It is doing so via a file:/// URL. This is not a problem with
> > javascript, this is a feature of your browser. To check this, please
> > type in "file:///" into your browsers address bar manually and you
> > will see that there is no difference in the behaviour. I repeat, this
> > is not a javascript problem and you are getting hysterical over
> > nothing.
> >
> > It is not a security risk because it is showing you the files you have
> > access to on your machine. Javascript has absolutely nothing to do
> > with it apart from sending *you* to the URL.
> >
> When I disabled javascript, the the link in the
> router's page could no longer open
> file:///
What you're missing is that a remote server's ability to instruct your
web browser to open the contents of file:/// URL is limited to
precisely that: your web browser opening and displaying the contents
of file:///. The remote server's javascript has no means of accessing
the contents of file:///. Once your web browser opens file:///, the
previous page from the remote server is closed, together with all the
javascript that was in it.
If file:/// gets opened in a separte window or a tab, as can be done,
the javascript running from another window or tab still has no means
of accessing the contents of another scope, as well. Javascript can
only access resources that originate from the same scope.
This is a well-understood security model. There have been isolated
instances in the past, where flaws were discovered in some individual
browser's security model that allowed some mechanism for running
Javascript to access content from another scope; occasionally a common
flaw was found that was shared by several browsers.
Barring your wonderrouter leveraging some hereto unknown security
exploit, all that your wonderrouter is doing is the equivalent of the
HTML that reads
<a href="file:///">Y0U h4ve b33n p0wned</a>
…yawn…
You missed the import of what I was saying...
that a javascript pushed by a website,
forced on my browser to execute on my machine
is in and of itself a violation of privacy and security.
Furthermore, it would be incredibly shortsighted
(stating it mildly) to write off such practice as safe
by any measure.
I sent a reply to Ed. Read that one.