anyway, i procrastinated research for a month or so, and when i realized i wasn't going to fuzz each html tag for js execution i emailed giorgio... that deflating sound is my ego:
many thanks for the PoC.
Is it just about links going back and forth in history working?
If you want, you can disable this feature from the aforementioned configuration option.
Please let me know if I'm missing something more malicious.
Thank you again
oh wow! rtfm & bad on me! ;) ok, well the things that seem malicious are all subtle imo.
the fact that .go() can be used for arbitrary navigation kinda seems dangerous. even though you'll be running noscript wherever you end up, it could be used to exploit a vuln that noscript doesn't protect against (possibly flash, pdf, etc).
and giorgio disagrees:
no "automatic navigation" can be triggered, because of the way this feature works: it reacts on *user click*, checks if the clicked item is a link (either an anchor or a map or a button) and tries to "guess" the destination by simple string parsing, then emulates the navigation.
well, i'm not going to get into an infosec pissing match w/ a guy who's contributed more to protect end-users than i prolly ever will... sigh...
i was really surprised to find script execution when i had ns set to not allow scripts globally.
for the navigation feature, i've got no click generating foo atm. iirc there are things that can be done to overlay pages and catch clicks.
for the sandbox fun, nursing my bruised ego kept me away from coming up w/ a way to smuggle the information back to the attacker. but my understanding of infosec suggests that giving someone a way to discover information about a system (file exists, exists but you don't have perms, exists and is executable, and doesn't exist) is not optimal. also, prompting a user w/ a download dialogue seems dangerous, even for local files.
anyway, i've put up a quick PoC for the stuff i was playing with...