InformAction Forums

What kind of holes does Giorgio think are exploitable in Thunderbird 5.0 + now that the Addons Manager has decided that it's allowed to browse from within TBird, and at the same time it's hooked up with all the Firefox plugins on the system while it was at it?
Sure I can disable plugins and all other web links from within TBird are still being passed to Fx, but AMO is going to be a honeypot for scripting games isn't it?

Is TB considered a "browser" as far as NoScript is concerned?
As in can NoScript be installed into a stand-alone TB (while having no other "Mozilla" apps)?

therube wrote:Is TB considered a "browser" as far as NoScript is concerned?
As in can NoScript be installed into a stand-alone TB (while having no other "Mozilla" apps)?

Nope.
It's acquired all the browser. stuff in config now, but no UI at all, and NoScript install is rejected.
Of course I trust the browser is locked down enough, but I don't know whether to trust AMO - which I guess is the reason for all the browser configs being activated. I'm not expert in all the browser. settings via about:config so don't know the answer to this.
All I'm asking here is for the scriptmeister's opinion on the safety of TBird's browser being activated in the way it has been.

EDIT: Setting javascript off is safe enough I suppose. I'll leave it at that and see what breaks.

Thunderbird is a Gecko-based web browser, even though the specific web browsing part is hidden most of the time.
Your concerns are fair, but if AMO got compromised you would face much worse problems than injected scripts: if I was an attacker, I'll immediately replace the top 10 most popular add-ons with my own versions, and reach a much wider audience than "Thunderbird users who open the addons manager". So porting NoScript (which would be quite a difficult task) is not worth the effort, given the threat model.

Giorgio Maone wrote: So porting NoScript (which would be quite a difficult task) is not worth the effort, given the threat model.

It looks like my edit of previous post crossed with your answer.
Thanks very much for the opinion.
This definitely wasn't a request for NS for Tbird - I've turned javascript off, and all should be fine now .... it's having those plugins automatically installed I found unsettling