Netscape has a "persistent" navigator object, which means that any data put in the window.navigator object will be accessible to every other window as long as the browser is running. This is slightly worse than non-persistent cookies since it works across domains. (not by much.. advertisers didn't wait for this feature to track users from different sites) Any window that somehow gets an handle to another window can look at it. If you try to explore the objects inside that window, you'll see pretty much every global function and variable defined on that window. But you cannot see "sensitive" objects like document, history, location, etc.. This is mostly an attempt at not breaking compatibility with scripts developed with previous versions of Navigator: Every object can be accessed except those known to be sensitive. It can be a problem if a script happens to copy sensitive data into global variables. But you cannot use it to automatically grab form data as was implied on the nsSecurityFlaw1.html page. I'm surprised to see this working on a https page. A page loaded from a secure server should be treated as a secure container ( just like pages containing signed javascripts ) and should refuse any access from external source. http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm Regards, Henri Torgemane On Wed, 24 Nov 1999, Ahmed Ghandour wrote: > I found one problem wich affect probably all the Netscape browser 4.x if you want to know more details please check out in http://people.magnet.com/~ghandour/ > > Ahmed Ghandour
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:26 PDT