[
Lists Home |
Date Index |
Thread Index
]
- From: Edd Dumbill <edd@usefulinc.com>
- To: Matt Sergeant <matt@sergeant.org>
- Date: Sat, 6 May 2000 14:51:42 +0100
On Fri, May 05, 2000 at 09:45:01PM +0100, Matt Sergeant wrote:
> I was actually going to post something about this on mozillazine.org,
> since mozilla has just incorporated XML-RPC. I'm seriously worried about
> potential security holes there. I guess we'll see how it pans out - at
> least with mozilla we can plug the holes as they appear.
The XML-RPC support checked into Mozilla is an XML-RPC client, not
server. This means it only ever initiates calls, never responds to them.
In this sense it is doing no more than a Javascript POSTing to a form and
retrieving a response. Furthermore, it is not pervasive functionality.
It is an XPCOM class which must be instantiated by a script in order to
be used.
Additionally, I believe it is constrained to the general security model
of Mozilla, which will mean that it can only establish a network
connection back to the host that served it, if served from a network
host rather than the filesystem. (Although I'm not 100% clear on this as
I can't find this model explicitly documented at the moment.)
I regard the addition of this functionality as a great move for Mozilla,
so it is definitely worth us exploring all the security implications
up-front before it gets released.
-- Edd
***************************************************************************
This is xml-dev, the mailing list for XML developers.
To unsubscribe, mailto:majordomo@xml.org&BODY=unsubscribe%20xml-dev
List archives are available at http://xml.org/archives/xml-dev/
***************************************************************************
|
