Interesting. I can understand some of the wontfix argument. If webarchive is supposed to act like an archive of a web site, then that means acting like the web site. I wonder if the file url attacks could be mitigated by not allowing webarchives of file urls. We already have a dozen file formats for file archives. Restrict urls in webarchives to web urls.
Big picture, if you can get the user to click on “I want to open the scary file from the internet”, there are probably a dozen other exploits you can run.
Interesting. I can understand some of the wontfix argument. If webarchive is supposed to act like an archive of a web site, then that means acting like the web site. I wonder if the file url attacks could be mitigated by not allowing webarchives of file urls. We already have a dozen file formats for file archives. Restrict urls in webarchives to web urls.
Big picture, if you can get the user to click on “I want to open the scary file from the internet”, there are probably a dozen other exploits you can run.