On 02/11/2015 15:50, Gervase Markham wrote:
> 4) Can't disable addon installation, and addons can be silently evil
>
> -- Can we add a pref to disable this?
There are already several prefs (in about:config) that could be used for
this.
I think it is unlikely that we would clutter up the
already-too-comprehensive about:preferences with UI-based prefs for
this, also because they would be footguns.
> 5) Safe Browsing warnings are bypassable
>
> -- Can we add a pref to disable this?
I don't really understand what the point of such a pref would be. Surely
then the user would first flip the pref and then bypass the safebrowsing
warning?
Generally I am a little surprised at the "users might do stupid things"
category of feedback here. I am generally skeptical that "make it a
pref" is a sensible solution for that problem. Users "stupidly" mess
with prefs they shouldn't be messing with *all the time*. Ironically,
the add-on one is a fine example of this (we now rely on the default
theme add-on being installed, and you can currently turn this off, which
will make your browser UI... less usable, shall we say).
Note that we already warn about sending the credentials if not done
through the prompt.
It'd probably be worth speaking to Tanvi about this.
> 7) No notification if browser updates fail
You can turn on a pref for this on stable (app.update.badge). It's on by
default in Nightly and Developer Edition.
> 8) No separation between Internet and Intranet pages
>
> 8b) no built-in XSS protection
>
> 8c) old and vulnerable plugins needed in an Intranet can be invoked by
> Internet content
This is not true anymore? At least, not without considerable
jumping-through-hoops by the user, and soon NPAPI will be essentially
completely dead.
> -- My understanding is that making this distinction accurately is Hard.
> Is that true? What does IE do?
I'm assuming you are talking about XSS and Internet vs. Intranet? I
don't know what IE does, but if I had to guess, I'd assume that they
would treat domains that resolve to IP addresses that are in the
reserved ranges as "intranet" and everything else as "internet".
As for XSS, we do support CSP headers, which do help.
> 9) No security event logging
What is a "security event" ?
~ Gijs