[tbb-dev] Current thoughts on tb-manual presentation
brade at pearlcrescent.com
Wed May 28 18:42:34 UTC 2014
On 5/28/14, 12:34 PM, Matt Pagan wrote:
> How salient are the risks of accessing the network if there are no
> external links in the manual and the window is opened with arguments
> similar to:
> window.open("file://" + dir + "index.html", "_blank",
> That is, why would escaping and accessing the network be a consideration
> if the address bar, menubar, and toolbar aren't loaded?
One possibility is that the user intentionally (or accidentally) drags a
URL into the help window. There are probably several other
possibilities that should be blocked. Research is needed.
There is also an issue that the Tor Launcher wizard is in a modal window
that floats above all other TBB windows. A help viewer window will need
to be opened as a modal window (which means users would not be able to
interact with the wizard window until they close the help window). As I
recall, there are annoying platform-specific differences in Firefox
related to dialogs and modality. More research and design is needed here.
More information about the tbb-dev