[tex-live] movie15 and media9

Zdenek Wagner zdenek.wagner at gmail.com
Tue Mar 20 10:17:40 CET 2012

2012/3/20 Reinhard Kotucha <reinhard.kotucha at web.de>:
> On 2012-03-20 at 01:29:45 +0100, Zdenek Wagner wrote:
>  > > Adding a scripting language is always critical in respect of
>  > > security.  But hyperlinks are dangerous too, they simply postpone
>  > > the problem to the web browser, which probably executes JS
>  > > code...
>  > >
>  > If I understand JS security, there is a big difference. If JS runs
>  > in a web browser, it can only connect to the server which provided
>  > the web page and the script cannot read arbitrary local files. If
>  > the script runs in AR within a file saved in your computer, it can
>  > connect to any server and has full access to your disk. It can read
>  > any file and send it to any server.
> A hyperlink in a PDF file can connect *any* server.  JS in AR not
> involved at all.
Sure, but following a hyperlink is not dangerous. JS running on that
web page has limited access to your disk and cannot connect to other
serves. JS running in AR when displaying PDF from your disk can for
instance read your keyring and send it to any server. JS in a web
browser can only do it if you store the HTML and JS files to your disk
and open them locally.

> Regards,
>  Reinhard
> --
> ----------------------------------------------------------------------------
> Reinhard Kotucha                                      Phone: +49-511-3373112
> Marschnerstr. 25
> D-30167 Hannover                              mailto:reinhard.kotucha at web.de
> ----------------------------------------------------------------------------
> Microsoft isn't the answer. Microsoft is the question, and the answer is NO.
> ----------------------------------------------------------------------------

Zdeněk Wagner

More information about the tex-live mailing list