I can see it being useful for some intranet applications. And dangerous for (untrusted) internet use.
To deny its existence (which would have to be done by disallowing any extensibility in the protocol handler namespace - anyone can create a new protocol handler which could potentially also be abused) is not a practical option because it limits legitimate implementation of valuable functionality.
The key is ensuring that powerful features like this operate with very strict security restrictions, and/or are available only to callers that are trusted. Clearly this has not been done.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
Re: mayeb this'll make some people feel better *grin*
Date: 2004-07-11 07:05 am (UTC)To deny its existence (which would have to be done by disallowing any extensibility in the protocol handler namespace - anyone can create a new protocol handler which could potentially also be abused) is not a practical option because it limits legitimate implementation of valuable functionality.
The key is ensuring that powerful features like this operate with very strict security restrictions, and/or are available only to callers that are trusted. Clearly this has not been done.