Interaction between page and panel?
Spartanicus
panel" bookmark option, but is it possible for such a panel to access
the DOM of the content loaded in the main tab/window?
--
Spartanicus
Rijk van Geijtenbeek
<inv...@invalid.invalid>:
> I know that I can get a page to appear as a panel via the "Show in
> panel" bookmark option, but is it possible for such a panel to access
> the DOM of the content loaded in the main tab/window?
Nope. That would be very cool, but also dangerous (XSS).
--
Rijk / Opera Software ASA / QA etc
"We hereby honor Opera with our Han and Chewy Award for Innovation and
Harebrained Experimental Goodness"
http://www.wired.com/news/technology/software/0,72360-0.html
Spartanicus
>> I know that I can get a page to appear as a panel via the "Show in
>> panel" bookmark option, but is it possible for such a panel to access
>> the DOM of the content loaded in the main tab/window?
>
>Nope. That would be very cool, but also dangerous (XSS).
Would allowing this only if the resource used as a panel is located on
the local file system make a difference to that risk?
When writing markup I have FF open next to Opera purely for a FF
extension that generates a document outline from the header structure
and displays it in the FF sidebar.
--
Spartanicus
Martin 'Cherry' Kirsch
>
> Would allowing this only if the resource used as a panel is located on
> the local file system make a difference to that risk?
That leaves the question: where did you get this resource on your local
file system, that you use as panel? Wrote it yourself, downloaded it
somewhere? If downloadet, who garantees that the site offering this cool
feature you want as panel didn't put anything evil in it?
If you wrote it yourself: how does Opera distinguish between anything
you wrote yourself (=safe for XSS as you know what it does) and things
you downloaded, and which are potentially bad?
Martin, just guessing
--
ICQ: 76384978
C.H.E.R.R.Y.:
Cybernetic Humanoid Engineered for Repair and Rational Yardwork
Rijk van Geijtenbeek
<mar...@kirschen.org>:
> Spartanicus schrieb:
>>
>> Would allowing this only if the resource used as a panel is located on
>> the local file system make a difference to that risk?
>
> That leaves the question: where did you get this resource on your local
> file system, that you use as panel? Wrote it yourself, downloaded it
> somewhere? If downloadet, who garantees that the site offering this cool
> feature you want as panel didn't put anything evil in it?
> If you wrote it yourself: how does Opera distinguish between anything
> you wrote yourself (=safe for XSS as you know what it does) and things
> you downloaded, and which are potentially bad?
Indeed. It might be feasable, IMHO, only if you get a very clear warning
before adding a panel. Currently it is very easy to add a panel, but with
XSS capabilities you should treat this with the same cauton as in
installing an executable.
Matthew Winn
> Spartanicus schrieb:
> >
> > Would allowing this only if the resource used as a panel is located on
> > the local file system make a difference to that risk?
>
> That leaves the question: where did you get this resource on your local
> file system, that you use as panel? Wrote it yourself, downloaded it
> somewhere? If downloadet, who garantees that the site offering this cool
> feature you want as panel didn't put anything evil in it?
> If you wrote it yourself: how does Opera distinguish between anything
> you wrote yourself (=safe for XSS as you know what it does) and things
> you downloaded, and which are potentially bad?
Is that significantly different from installing any other software?
Following your argument to its logical conclusion, the operating
system should refuse to allow any program to run because it doesn't
know whether you wrote it yourself or installed it from elsewhere.
At some point you have to be able to say "I know what I'm doing", and
installing an application on your local disk is a good way of showing
that you trust it. If I download a binary and install it somewhere I
don't expect the system to step in and say "I'm not going to let you
run that because it could be dangerous", so why should it be different
for scripts in web pages? If I'm stupid enough to save something from
warez.virussite.com that's my lookout, and if I'm stupid enough to
do that then I'll probably have killed my system with compromised
software long before I get around to installing Opera.
Perhaps the opera: protocol could be used to refer to a local area in
which judged-to-be-safe files are held. If I specify a URL in the form
<opera:safe/myfile.html> Opera will trust the page completely and
allow it to do anything. For added safety downloads direct to that
directory tree would be prohibited, forcing the user to go through the
same sort of save-then-install procedure used for normal applications.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
Marek Mänd
<ri...@opera.removethiz.com> wrote:
> Op Tue, 30 Jan 2007 15:54:10 +0100 schreef Spartanicus
>> panel" bookmark option, but is it possible for such a panel to access
>> the DOM of the content loaded in the main tab/window?
>
> Nope. That would be very cool, but also dangerous (XSS).
And how would you know that so for certain?
http://people.opera.com/rijk/opera/userjs.html#notes
"Please don't expect me to explain specific functions,
because I'm not a proficient JavaScripter myself."
Read it ^^^^^^^^^^^^^^^^^^^^ loud.
This is the functionality I am asking for last 6.5 years.
If you still dont understand, the communication between panel and "tab
window" can be restricted in ways,
that "tab window" COULD NOT CALL METHODS AND COULD NOT ACCESS VARIABLES OF
PANEL.
But you talk your XSS voodoo, and axe the great functionality with FUD and
scare people off.
You cant have vision if you dont have passion.
Working in software industry for money is a bitch.
Try engineering isntead of being forever QA.
QA doesnt create new things.
Working on other persons bugs and code misbreedings cools passion off.
Dont belive everything they tell you out of their own convenience "'t
can't be done"...
Instead of creating panel as a useful item, Operasoftares engineer pervs
coined what?
THE WIDGEEEETS!
I even saw a video with Jon S. von Tetzchner where he was interviewed
around time when Opera 9 released and he was like tricked to be happy and
proud to say that like Widgets are somewhat similar as Firefoxes
extensions...
PR people dont manufacture anything but void words.
Widgets are atm pure crap.
Why they are crap - that can be read from some of my other news postings.
The point of having panels or "side bar" as it is called in FF is that it
SHOULD PROVIDE ADDITIONAL VALUE AND SERVICES. For example take a whatever
news portal - HOW A ABOUT OF PANEL THAT WOULD DISPLAY LINKS TO THE RELATED
STORIES (not limited to that news portal but also links to other news
portals ) I HAVE MADE ASSOCIATIONS WITH? But to do that you need panel to
obtain URL of the "main tab".
Or what about Panel that would search webpages text and compare it against
person names in your personal database, assuming the panel is a webiste
originating from local Apache/IIS whatever web server.
If such easy panel-communication would be made possible, it would open up
a path for many new applications to rise. The concept of browser as
information gathering tool with database backend would make its first
steps in mainstream.
Also the sidebar can not provide ANY ADDITIONAL USEFUL contextual value if
the XmlHTTPRequest is limited to communicate with the host the panel
originates from. Somehow the useless widgets can communicate to different
hosts, but panels can't... THERE IS NO LOGICAL EXPLENATION FOR THAT!
Now Rijk once said that widgets have different security context or
subsystem or I dont recall exactly what it was exactly, but the point is
WHY THEN THE PANELS COULDNT HAVE THAT DIFFERENT CONTEXT?
No answer...
--
Marek Mänd
Tallinn, Estonia