Re: libseed-list Security overview



On 2011.05.17, at 15:48, Michael Terry wrote:

> Hello, gentle Seed developers!
> 
> I do work on the Ubuntu desktop team and am looking into getting seed into the main archive so that it can ship with Ubuntu 11.10 as part of GNOME 3 [1].
> 
> Part of that process is a security review and this comment was made by Kees Cook, a member of the security team:
> 
> """
> Yikes, javascript hooked to the desktop. :) There's nothing immediately wrong with the code, but I have to wonder about how security boundaries are going to be enforced, if JS from the browser ever touches JS for the desktop. I would prefer to see documentation similar to the "same origin" policies in browsers for how JS will be used in the Desktop before this package goes into main.
> """
> 
> Maybe my Google-fu is weak, but I couldn't find discussions of seed security or XSS issues.  Though apparently it has some support for sandboxing?
> 
> Also in general with seed, who is responsible for enforcing or activating security protections?  Like, do Gedit plugins have to specifically ask seed to use sandboxing or whatever?  (i.e. do we just have to worry about seed screwing up, or do we also have to look at all users of seed?)

I'm a bit confused - Seed is just bindings: no different than, for example, PyGObject, or gjs, or any of these [2] (especially gjs!). In practice, it's no different than any other scripting language on your system with GObject bindings. Seed has no interaction at all with "browser-side" JavaScript.

Security implications for Seed scripts are - as far as I'm aware - exactly the same as for Python scripts or the like (none of which have anything like Web-JS's "same origin" policies).

Maybe Robb can shed some light.

[2] http://live.gnome.org/GObjectIntrospection/Users

> Thanks!
> 
> [1] https://bugs.launchpad.net/ubuntu/+source/seed/+bug/782972
> 
> -mt
> _______________________________________________
> libseed-list mailing list
> libseed-list gnome org
> http://mail.gnome.org/mailman/listinfo/libseed-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]