It looks like a Javascript thread-of-execution that can write to local filesystem paths (to render graphics, at least) may call into network-loaded DOM/code. Is there any assurance that page contents can't discover and use phantom API operations? (Or perhaps read local 'file:' URIs?)
Wow, that's a good insight, seems like a possible attack vector. Maybe something like Adobe Air's security model of putting local access and network access in different iframes with a message-passing API between them would work. That's always felt like a bit of a hack to me but at least the separation between different frames in WebKit has been well-tested.
GreaseMonkey has to contend with these same issues. It has a security model, which will be broken if developers ignore the list of things you can't do.
But, have security issues been considered?
It looks like a Javascript thread-of-execution that can write to local filesystem paths (to render graphics, at least) may call into network-loaded DOM/code. Is there any assurance that page contents can't discover and use phantom API operations? (Or perhaps read local 'file:' URIs?)