I saw quite a few people surprised at this little known tidbit about eval in firefox. Maybe it's just me, but can't we simply download the script and run it in Rhino or whatever if we really wanted to extract "private" data for an attack?
I thought one of the golden rules of security is that there's no such thing as client-side security.
No comments:
Post a Comment