Page 1 of 1
Always allow about:reader
Posted: Sun Apr 19, 2015 8:51 pm
by Skalman
There's a new Firefox feature: Reader view in desktop Firefox.
Release notes
Apparently, the new reader view uses about:reader, so it would be nice if it could be enabled by default.
Re: Always allow about:reader
Posted: Sun Apr 19, 2015 11:12 pm
by Thrawn
That would depend on whether about:reader can be expected to be safe...anyone know more about that?
Re: Always allow about:reader
Posted: Mon Apr 20, 2015 1:14 pm
by Giorgio Maone
I'm not sure allowing about:reader by default is a good idea, not yet at least: it appears it loads content from the page to be "read", transforms and styles it then renders it in its own context.
Now if something goes wrong with the transformation, and specifically the sanitization of active content is bypassable, you come to allow active content execution on any page you pass to the reader which knows how to exploit this bypass.
So for now I prefer to explicitly allow "about:reader" when it's needed.
If its 100% security gets proved, I'm ready to change my mind.
Re: Always allow about:reader
Posted: Mon Apr 20, 2015 8:38 pm
by Skalman
Okay, I'll simply enable it myself, since I trust it. Thanks for your explanations.
Re: Always allow about:reader
Posted: Mon Apr 20, 2015 11:30 pm
by Thrawn
Is reader mode intended to be 100% no-active-content? If so, then is it worth adding an ABE rule for defence in depth?