mozilla and security zones

[kurt wismer]

http://www.steelgryphon.com/blog/?p=44

it would appear that the folks at mofo are looking to try to implement
some kind of security zone framework in future versions of the
browser... this set off alarms in my head because i remember nick
stating that the security zone model IE used was fundamentally
broken... is mozilla going to start mirroring IE's mistakes?

 

[Bigbruva]

With success, comes pressure
With pressure, comes mistakes :-(

BB

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

http://www.steelgryphon.com/blog/?p=44

it would appear that the folks at mofo are looking to try to
implement some kind of security zone framework in future versions
of the browser... this set off alarms in my head because i
remember nick stating that the security zone model IE used was
fundamentally broken... is mozilla going to start mirroring IE's
mistakes?

In the proto-spec at <http://www.steelgryphon.com/blog/?page_id=43> the
only differences between the current default and the most permissive
proposed zone are that in the permissive zone, third-party cookies are
allowed and XPI installs are allowed.

It's already possible to allow third-party cookies in Firefox, though
not on a site-by-site basis. (I think such per-site cookie control is
possible with an extension, but I'm not sure.)

There's also already a whitelist for sites that can use XPI installers.
The user is still prompted for any install from a whitelisted site, and
I guess that prompt would remain for sites in the permissive zone.

On the face of it, the proposed zones don't look as troubling as IE's
have turned out to be. But I would like to hear what Nick or others
familiar with the problems of zone models think.