On 13 May 2015, at 14:47, OSUserNYC <
OSUs...@gmail.com> wrote:
> Our firms security team has express concern that Selenium IDE can to bypass
> Firefox security mechanism i.e end user might be able to install other
> third party plugins etc.
>
> My initial review after installing the plugin is that Selenium IDE acts
> 'normally' as any other regular Firefox plugin.
As far as I know, IDE itself is not any different from any other plugins, although it’s obviously not security-reviewed by Mozilla.
During test runtime, all of Selenium RC, WebDriver, and IDE bypass various security mechanisms. In fact, many of the WebDriver implementations goes a step further and gives you access to browser internals.
For this reason you shouldn’t run your Selenium servers on a public IP range, you should ensure to bind only to the local network interface, and protect your IP subnet.
In practice this isn’t usually a problem since you run your tests against temporary browser profiles and inside a firewall.
> Can any maintainer of IDE can express their views on this topic? This will
> help to alleviate the concerns of our security team
I should note that I don’t know IDE very well so my observations about it might be wrong.