[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: SOAP, plague, love
On Fri, May 05, 2000 at 09:45:01PM +0100, Matt Sergeant wrote: > I was actually going to post something about this on mozillazine.org, > since mozilla has just incorporated XML-RPC. I'm seriously worried about > potential security holes there. I guess we'll see how it pans out - at > least with mozilla we can plug the holes as they appear. The XML-RPC support checked into Mozilla is an XML-RPC client, not server. This means it only ever initiates calls, never responds to them. In this sense it is doing no more than a Javascript POSTing to a form and retrieving a response. Furthermore, it is not pervasive functionality. It is an XPCOM class which must be instantiated by a script in order to be used. Additionally, I believe it is constrained to the general security model of Mozilla, which will mean that it can only establish a network connection back to the host that served it, if served from a network host rather than the filesystem. (Although I'm not 100% clear on this as I can't find this model explicitly documented at the moment.) I regard the addition of this functionality as a great move for Mozilla, so it is definitely worth us exploring all the security implications up-front before it gets released. -- Edd *************************************************************************** This is xml-dev, the mailing list for XML developers. To unsubscribe, mailto:majordomo@x...&BODY=unsubscribe%20xml-dev List archives are available at http://xml.org/archives/xml-dev/ ***************************************************************************
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|