MozillaZine

Full Article Attached Towards Mozilla 1.0

Tuesday June 26th, 2001

Gervase Markham recently posted his feelings on what a 1.0 release of Mozilla would be. Gerv has sent us the follow-up to that posting, including much of the feedback he received. To read it, click the full article link. Once you have read through it, we welcome you to post your feelings on what you think a 1.0 release would have. [As Gerv says, please don't post your favorite list of bugs, only the criteria for choosing what bugs to fix.]


#199 Security issues in Mozilla

by shaver

Friday June 29th, 2001 11:45 AM

You are replying to this message

When you say ``it may be'', do you mean that

- you have seen cases of Mozilla manifesting these security flaws, or - you have heard reports of Mozilla manifesting these security flaws, or - you're just guessing based on an interpretation of those documents? "Running remote XUL" isn't a security issue at all; XUL isn't privileged in any way, only chrome: URLs (and they can't be remote). I don't know which JavaScript APIs you're talking about, but I believe that the DOM ones -- which are pretty much the only ones that are exposed to unprivileged content -- have in fact been reviewed in quite some detail. There has been a firewall between ``remote'' (really unprivileged) JS and ``privileged XUL code'' (do you mean XUL content, or chrome-privileged JS?) for many many many months. Years, probably. Just ask all the people who have had things break when the security manager got overly restrictive in certain cases.

People running Mozilla may well be vulnerable to security flaws (bug 83038 was present in 0.9.1, for example), but we're pretty good about fixing them for the next release. If you're bothered by the possibility of there being security flaws in your browser, perhaps running pre-release Mozilla builds isn't the right thing for you. (I expect that we'll be much more likely to do fast respins for security issues once we get to 1.0.)

I have no comment on any Netscape 6.x issues, and I wouldn't share such comments here if I did.