
Chrome OS Dev Update Brings File System Support, More Experiments - dcawrey
http://www.thechromesource.com/chrome-os-dev-update-brings-file-system-support-more-experiments/
======
ezalor
This is not _that_ exciting: a malicious XSS or CSRF and PAF! an attacker
writes on the user filesystem!

~~~
Groxx
You seem to be implying that the browser that first made window, tab, and
plugin sandboxing into a big deal won't sandbox such systems from normal
operation.

ie, it's likely to be exactly as vulnerable as your computer. If you open a
vulnerability in your extension and someone exploits it, it's the same as a
flawed program that allows input being attacked. If they eval JS from
arbitrary sites, that has nothing to do with the security of the system, only
the security of what you installed.

~~~
ezalor
Obvious difference: I expect not to get my HDD corrupted because I visited an
arbitrary web _site_ , I understand it might be the case if I download AND run
an arbitrary program.

~~~
Groxx
If I'm reading the article correctly (and it's a bit vague), these are part of
the experimental extensions API. They're accessible only to arbitrary programs
you've downloaded and run, and they inform you that they use api X.

To make matters harder, experimental API extensions aren't allowed in the
chrome extension gallery - you'll have to go _looking_ for unapproved, file-
system-accessing extensions to expose yourself in the slightest to that
danger.

