What kind of holes does Giorgio think are exploitable in Thunderbird 5.0 + now that the Addons Manager has decided that it's allowed to browse from within TBird, and at the same time it's hooked up with all the Firefox plugins on the system while it was at it?
Sure I can disable plugins and all other web links from within TBird are still being passed to Fx, but AMO is going to be a honeypot for scripting games isn't it?
Tbird AM now a Moz browser *without* NS
Tbird AM now a Moz browser *without* NS
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: Tbird AM now a Moz browser *without* NS
Is TB considered a "browser" as far as NoScript is concerned?
As in can NoScript be installed into a stand-alone TB (while having no other "Mozilla" apps)?
As in can NoScript be installed into a stand-alone TB (while having no other "Mozilla" apps)?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110928 SeaMonkey/2.4.1
Re: Tbird AM now a Moz browser *without* NS
Nope.therube wrote:Is TB considered a "browser" as far as NoScript is concerned?
As in can NoScript be installed into a stand-alone TB (while having no other "Mozilla" apps)?
It's acquired all the browser. stuff in config now, but no UI at all, and NoScript install is rejected.
Of course I trust the browser is locked down enough, but I don't know whether to trust AMO - which I guess is the reason for all the browser configs being activated. I'm not expert in all the browser. settings via about:config so don't know the answer to this.
All I'm asking here is for the scriptmeister's opinion on the safety of TBird's browser being activated in the way it has been.
EDIT: Setting javascript off is safe enough I suppose. I'll leave it at that and see what breaks.
Last edited by saywot on Thu Oct 06, 2011 8:53 am, edited 1 time in total.
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Tbird AM now a Moz browser *without* NS
Thunderbird is a Gecko-based web browser, even though the specific web browsing part is hidden most of the time.
Your concerns are fair, but if AMO got compromised you would face much worse problems than injected scripts: if I was an attacker, I'll immediately replace the top 10 most popular add-ons with my own versions, and reach a much wider audience than "Thunderbird users who open the addons manager". So porting NoScript (which would be quite a difficult task) is not worth the effort, given the threat model.
Your concerns are fair, but if AMO got compromised you would face much worse problems than injected scripts: if I was an attacker, I'll immediately replace the top 10 most popular add-ons with my own versions, and reach a much wider audience than "Thunderbird users who open the addons manager". So porting NoScript (which would be quite a difficult task) is not worth the effort, given the threat model.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: Tbird AM now a Moz browser *without* NS
It looks like my edit of previous post crossed with your answer.Giorgio Maone wrote: So porting NoScript (which would be quite a difficult task) is not worth the effort, given the threat model.
Thanks very much for the opinion.
This definitely wasn't a request for NS for Tbird - I've turned javascript off, and all should be fine now .... it's having those plugins automatically installed I found unsettling
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1