http://dcortesi.com/2006/12/11/google-browser-sync/ Coding, Security, and maybe a little bit about Damon Cortesi Wed, 20 Aug 2008 17:18:28 +0000 http://wordpress.org/?v=2.5.1 http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13569 Damon Sat, 16 Dec 2006 19:32:18 +0000 http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13569 Well it seems to happen whenever I leave Seattle! So I guess that means I should stay in town more often. Well it seems to happen whenever I leave Seattle! So I guess that means I should stay in town more often.

]]> http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13564 lauriannjane Sat, 16 Dec 2006 15:05:23 +0000 http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13564 Hey Damon, ever since you moved out there I've read one article after another on big storms, monsoons, etc. You windstorm of yesterday made front page news on our Pittsburgh Post Gazette. Does this have anything to do with your arrival there?? Hey Damon, ever since you moved out there I’ve read one article after another on big storms, monsoons, etc. You windstorm of yesterday made front page news on our Pittsburgh Post Gazette. Does this have anything to do with your arrival there??

]]> http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13458 ha.ckers.org web application security lab - Archive » Firefox Allows Any Site To Inject XPI Via XSS Via Delegation Wed, 13 Dec 2006 19:49:19 +0000 http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13458 [...] Apparently this is true, although I can’t for the life of me figure out why this should be allowed. I ran across an article at DCortesi’s site talking about how Firefox has delegated their security to Google for installation of the Google Sync XPI. Pretty scary actually. What this means is that if an XSS hole were ever found in any whitelisted domain (including XSS in their server, MITM through your proxy server etc…) Firefox will happily allow you to download xpi files. I’ve talked with a few people about this off and on in a different context of loading an xpi file into a data: directive on the whitelisted domain. Yah, that’s scary. This is worse. [...] [...] Apparently this is true, although I can’t for the life of me figure out why this should be allowed. I ran across an article at DCortesi’s site talking about how Firefox has delegated their security to Google for installation of the Google Sync XPI. Pretty scary actually. What this means is that if an XSS hole were ever found in any whitelisted domain (including XSS in their server, MITM through your proxy server etc…) Firefox will happily allow you to download xpi files. I’ve talked with a few people about this off and on in a different context of loading an xpi file into a data: directive on the whitelisted domain. Yah, that’s scary. This is worse. [...]

]]> http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13418 Ziru Zhu Tue, 12 Dec 2006 06:53:21 +0000 http://dcortesi.com/2006/12/11/google-browser-sync/#comment-13418 I would blame Mozilla more on this. I would blame Mozilla more on this.

]]>