And as a follow-up to the last post on browsers, the Other Browser Group (everyone who makes a commercial web browser, that isn't just a wrapper for one or more rendering engine, barring Microsoft) announce that they're going to extend scriptability on binary plugins. These binary plugins will be built using a C-based unmanaged API. Here's what they have to say about security:
"In addition to this, a further extension to this API is being discussed that would give a plugin greater flexibility by letting the plugin control the origin of the calling code, so that the plugin can specify the origin of calls that come from internally loaded code from other origins. This way such code can be executed with only the privileges of the origin of the code, and not the privileges of the plugin page's origin."
They've essentially described denying cross-site scripting. This is all very well, but if there's a flaw in the implementation, you still have XSS attacks. There's no sandboxing, no requirement to mark components safe for scripting or initialization, no way for the user to limit which sites can and cannot use script. It's all or nothing. IE has all the above (and the cross-site scripting restrictions).
Fundamentally, with the ability to load unmanaged components, the code can do anything at all. They don't describe any way for components to be recognised as written by a particular publisher or to limit the user's ability to download unsigned controls (possible through Group Policy for IE). The slight limitation is that of course the browser can only load components which conform to the required interface; there are many fewer of those for the Netscape plug-in API than there are COM components.
Let's look at how things work on XP SP2. In Firefox, say I want to watch Strong Bad's latest e-mail and I don't have the Flash player. Clicking that link gives me a big blank area saying 'Click here to get the plugin'. Clicking that gives me a lengthy dialog with a Get the Plug-in and a Cancel button, which doesn't mention security at all. Clicking Get the Plug-in button takes me to Macromedia's download page, so I click Download Now. I get a dialog asking me to save the installer. Once it's downloaded I open the installer, and step through the wizard, which shuts down the browser.
It appears that Firefox can load plugins on the fly, but Flash doesn't bother - it just restarts the browser. The suggestion seems to be that this will become easier - plugins could be downloaded after prompting the user. Netscape 4.x supported SmartUpdate, which does have code-signing, but this required LiveConnect, not present in Firefox. Firefox already supports XPCOM, XPInstall and XPConnect. The first allows binary extensions, the second allows extensions to be installed on demand, and the third allows those extensions to be scripted.
You can get an XPCOM extension which loads ActiveX controls. As a demo, in the download section, click one of the Click Here links. Firefox pops up a dialog:
Note "Install Now" is the default, although it is initially disabled for two seconds. I didn't hit Install Now because firstly I don't want it and secondly it doesn't work in Firefox at present.
Let's try the equivalent on IE. Remember this is SP2. First I have to persuade IE that Flash doesn't exist by deleting it from the registry. Now we go again to Homestarrunner.com. I get the information bar:
Clicking the bar and selecting "Install ActiveX Control" reloads the page and brings up the new security dialog:
Hitting Install downloads and installs the player, then loads the content straight away. Note that "Don't Install" is the default. IE also watermarks files that it downloaded: when you try to open one, you get this dialog:
I suspect the next generation of IE will support .NET-based plug-ins which use the .NET code access security model. It'll probably still support loading ActiveX controls, though.