Message from discussion Interaction between page and panel?

Path: g2news2.google.com!news3.google.com!news2.volia.net!news.germany.com!multikabel.net!feed20.multikabel.net!tudelft.nl!txtfeed2.tudelft.nl!gentoo.nl.linux.org!news.nl.linux.org!news.opera.com!news.opera.no!not-for-mail
From: Martin 'Cherry' Kirsch <mar...@kirschen.org>
Newsgroups: opera.general
Subject: Re: Interaction between page and panel?
Date: Tue, 30 Jan 2007 18:39:13 +0100
Organization: Opera Software Net News
Lines: 19
Message-ID: <45BF82C1.A7998330@kirschen.org>
References: <bjmur2ts0ge0ulg3i4b1lcjmlf9pa0a3qe@4ax.com> <op.tmy3d7upj2qftn@laptop-rock.lan> <qdsur2p26a9ml9ta997bpj6bb0gv7sfdh6@4ax.com>
NNTP-Posting-Host: k085.fem.tu-ilmenau.de
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: news.opera.com 1170178876 1812 141.24.42.85 (30 Jan 2007 17:41:16 GMT)
X-Complaints-To: usenet@news.opera.com
NNTP-Posting-Date: Tue, 30 Jan 2007 17:41:16 +0000 (UTC)
X-Mailer: Mozilla 4.78 [de] (Windows NT 5.0; U)
X-Accept-Language: de
User-Agent: Hamster/2.1.0.11

Spartanicus schrieb:
> 
> Would allowing this only if the resource used as a panel is located on
> the local file system make a difference to that risk?

That leaves the question: where did you get this resource on your local
file system, that you use as panel? Wrote it yourself, downloaded it
somewhere? If downloadet, who garantees that the site offering this cool
feature you want as panel didn't put anything evil in it?
If you wrote it yourself: how does Opera distinguish between anything
you wrote yourself (=safe for XSS as you know what it does) and things
you downloaded, and which are potentially bad?

Martin, just guessing
-- 
ICQ: 76384978

C.H.E.R.R.Y.:
Cybernetic Humanoid Engineered for Repair and Rational Yardwork