On 5/28/14, 12:34 PM, Matt Pagan wrote:
How salient are the risks of accessing the network if there are no external links in the manual and the window is opened with arguments similar to:
window.open("file://" + dir + "index.html", "_blank", "status=0,toolbar=0,location=0,menubar=0"),
?
That is, why would escaping and accessing the network be a consideration if the address bar, menubar, and toolbar aren't loaded?
One possibility is that the user intentionally (or accidentally) drags a URL into the help window. There are probably several other possibilities that should be blocked. Research is needed.
There is also an issue that the Tor Launcher wizard is in a modal window that floats above all other TBB windows. A help viewer window will need to be opened as a modal window (which means users would not be able to interact with the wizard window until they close the help window). As I recall, there are annoying platform-specific differences in Firefox related to dialogs and modality. More research and design is needed here.
-- Kathy