Re: Extension security?
- From: "Jasper St. Pierre" <jstpierre mecheye net>
- To: Milan Bouchet-Valat <nalimilan club fr>
- Cc: gnome-shell-list <gnome-shell-list gnome org>
- Subject: Re: Extension security?
- Date: Mon, 5 Dec 2011 17:29:57 -0500
Also:
https://bugzilla.gnome.org/show_bug.cgi?id=665452
On Mon, Dec 5, 2011 at 5:23 PM, Milan Bouchet-Valat <nalimilan club fr> wrote:
> Le lundi 05 décembre 2011 à 23:14 +0100, Gabriel a écrit :
>> Hi all,
>>
>> I may be missing something, but the really nifty extensions site
>> prompted me to ask this, are there not potential security issues with
>> extensions being able to be installed by clicking on a webpage? Ans
>> since extensions are able to modify the way the UI behaves, could
>> someone not make one that steals users' info, make screenshots, steal
>> passwords (like emulating the login screen for example), etc?
> (Note this applies to any random third-party package users might install
> by clicking on a link and providing their password.)
>
>> I'm sure you thought of all this so I be interested in knowing how you
>> protect us (sandboxing, limiting the things API can do, not allowing
>> access to the HD except thought given functions, etc).
> This has been discussed on this list previously. See
> http://lwn.net/Articles/459786/ for a summary and links.
>
> Basically, the Shell ensures the extension comes from
> extensions.gnome.org, which requires a review of the code by other
> hackers; and it will never install/update extensions without user action
> (modal dialog). But once installed, extensions are not sandboxed and can
> do whatever they want to the Shell, or to your files (just like any app
> on the system).
>
>
> Cheers
> _______________________________________________
> gnome-shell-list mailing list
> gnome-shell-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-shell-list
--
Jasper
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
