Chromium 5 UI design for these settings suffers from serious drawbacks:
Is there any plan to overcome those shortcomings in Dragon?
Perhaps implementing something like this:
http://files.myopera.com/Tamil/Blogs/O%20Site%20Preferences.gif
About secure password handling…
Those tests by Chapin Information Services are not available anymore but there is still a description on newsgropus.
Though not unlikely, it is unclear whenever Chromium improved its implementation.
Will the the following scenarios be tested on Dragon and the tests publicly released (like CLT)?
http://www.p2pnet.net/images/chapx.gif
Image from http://www.p2pnet.net/story/17871
Action Authority Checked on Retrieval
To pass this test, the PM must never deliver a password to a domain other than the
one to which the password was delivered when it was saved. For example, if a password
is saved on a self-referring form, and then automatically filled in another form that
points to a different website, then the PM has failed this test.
Action Authority Checked on Save
To pass this test, the PM must never overwrite the destination domain name of a
password without explicit user interaction. For example, if a password is first saved
on a self-referring form, and then re-saved on a form that points to a different
website, and the PM prevents the password from being filled on the original form,
then the PM has failed this test. Note the implicit requirement that a PM must
distinguish authorities on retrieval.
Action Authority Raises Warnings
To pass this test, the PM must warn the user if the action authority does not match
the page authority. For example, if a login form at www.info-svc.com:80 points to
google.com or to www.info-svc.com:81, and the PM allows a user to save or submit a
password using this form without notice, then the PM has failed this test.
Action Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one
to which the password was delivered when it was saved. For example, if a password is
saved on a self-referring form, and then automatically filled in another form that
points to a different parent directory, then the PM has failed this test.
Action Path Checked on Save
To pass this test, the PM must never overwrite the destination path of a password
without explicit user interaction. For example, if a password is first saved on a
self-referring form, and then re-saved on a form that points to a parent directory,
and the PM prevents the password from being filled on the original form, then the PM
has failed this test. Note the implicit requirement that a PM must distinguish paths
on retrieval.
Action Scheme Checked on Retrieval
To pass this test, the PM must never deliver a password using a protocol other than
the one by which the password was delivered when it was saved. For example, if a
password is saved on a self-referring web page, and then automatically filled in
another form that uses e-mail to deliver the password, then the PM has failed this test.
Action Scheme Checked on Save
To pass this test, the PM must never overwrite the destination scheme of a password
without explicit user interaction. For example, if a password is first saved on an
http: form, and then re-saved on a form that uses https: or mailto: and the PM
prevents the password from being filled on the original form, then the PM has failed
this test. Note the implicit requirement that a PM must distinguish schemes on retrieval.
Action Scheme Raises Warnings
To pass this test, the PM must warn the user if the action scheme is potentially
unsafe or does not match the page scheme. For example, if a login form uses an e-mail
application that will display the password on screen, and the PM allows the user to
save or submit a password using this form without notice, then the PM has failed this
test.
Action Scheme Prevented if Unsafe
To pass this test, the PM must successfully abort a password delivery if requested by
the user.
Autocomplete=Off Prevents Form Fills
To pass this test, the PM must never deliver a password when the autocomplete
attribute is present and set to “off”.
Invisiblility Prevents Form Fills
To pass this test, the PM must never deliver a password using a form that is not
visible. For example, if a login form is present on a web page but has its display
property set to none, and the PM automatically fills the form allowing the password
to be transmitted despite being invisible, then the PM has failed this test.
Method Checked on Retrieval
To pass this test, the PM must never deliver a password using an HTTP method other
than the one by which the password was delivered when it was saved. For example, if a
password is saved on a form that uses POST, and then automatically filled in another
form that uses GET to deliver the password, then the PM has failed this test.
Method Raises Warnings
To pass this test, the PM must warn the user if the password submission method is
potentially unsafe. For example, if a login form uses GET, which causes the password
to be added to the address bar, and the PM allows the user to save or submit a
password using this form without notice, then the PM has failed this test.
Multiple Paths per User per Authority
To pass this test, the PM must allow a user to save different passwords in different
paths of a single domain using the same user name. Note the implicit requirement that
a PM must distinguish paths in both the action URI and page URI.
Multiple Ports per User per Authority
To pass this test, the PM must allow a user to save different passwords using
different ports on a single domain using the same user name. Note the implicit
requirement that a PM must distinguish ports in both the action URI and page URI.
Multiple Schemes per User per Authority
To pass this test, the PM must allow a user to save different passwords using
different schemes on a single domain using the same user name. Note the implicit
requirement that a PM must distinguish schemes in both the action URI and page URI.
Page Path Checked on Retrieval
To pass this test, the PM must never deliver a password to a path other than the one
at which the password was requested when it was saved. For example, if a password is
saved on a self-referring form, and then automatically filled in another form that
points to the same path but is located in the parent directory, then the PM has
failed this test.
Random Name Attribute Prevents Form Fills
To pass this test, the PM must never fill a password in a form field whose name
attribute does not match the name of the field that was used to save the password.
User Required for Password Retrieval
To pass this test, the PM must never fill a password without explicit user interaction.
User Required for Password Save
To pass this test, the PM must never save or overwrite a password without explicit
user interaction. For example, if a password is saved with a username, and then the
same form is re-submitted with the same username and a different password, and the PM
then fills the new password into forms instead of the original password, then the PM
has failed this test.
Valid URIs Don’t Break Anything
To pass this test, the PM must never submit a password to the wrong URI or fail to
submit a password to a valid URI as a result of erroneous action attribute parsing.
For example, if the action attribute value is “mailto:localpart[at]www.info-svc.com” and
the PM delivers a password to “http://www.info-svc.com/mailto:localpart[at]www.info-svc.com”
then the PM has failed this test.
"
Understood. No more questions left.
Last attempt – implement in CD similar functionality, which provide these FF addons: NoSquint, Flashblock, BetterPrivacy.
Thanks, i will try this if i will install CD once again.
I use Net iD client from SecMaker AB. I asked them when Chromium will be supported. Here is the reply:
Vi kommer stödja Chrome när de har fullständigt certifikat stöd som Firefox har.In English (my translation): [i]We will support Chrome when they have full certificate support as Firefox has.[/i] ???
If you can provide valid points to your wish to include those features then by all means do so in the Wishlist boards. That way we (Comodo) can gauge if there’s high demand for these features. 
Multi registration&log in tool:
many forums - e.g. this SMF - are working with the same registration page, so i wonder if you can create a tool which would suggest me automatic registration - then logging in - with a previously given default own details (e.g. Arkangyal|xyzpassword|etc.). I know that captcha (i don’t know the name, but the image robot protection) can make this difficult, but maybe that will be the only one i need to type in and everything is faster.
I don’t have to remember user names, passwords, etc. I shouldn’t even know my password / site, CD shall generate one / site.
Much better download manager - current version … well, erm, much like a key (CD download manager) from a keyboard (many others).
To my surprise I noticed chromium least privilege approach is not applied to Flash plugin (using Process explorer).
I was able to confirm that on XP admin account Dragon does the same and allow Flash plugin run in a child process with full privileges.
Considering the browser should be able to run fine on a limited account (thus Flash too) I was wondering if the admin privileges could be stripped from flash child-process when Dragon is run on XP’s administrator accounts.
It would be nice if an optional switch could be provided to force dragon main process to run using limited permissions as well.
No plugins are “sandboxed” by deafult: Google Chrome
You can use -safe-plugins, but some plugins will not work (e.g. Adobe Reader).
-trusted-plugins= can be used to make exceptions (e.g. -safe-plugins -trusted-plugins=nppdf32.dll).
Maybe -safe-plugins could be automatically applied to Flash Player?
Indeed I overlooked to address all plugins and was paying attention only to flash. My bad :-[
Thanks, I was seaching for something like that and possibly some additional switch to reduce privileges of the main executable.
AFAIK on vista and later OSses chromium will not get baseline admin permission if not explicitly run elevated (UAC etc…) at least.
This could explain why -safe-plugins switch does more than I asked for.
I looked at the security restrictions enforced by -safe-plugins on XP and found them to be more severe than limited accounts (many Deny-only tokens and some Resticting SIDs).
This could explain the incompatibility issues for Adobe reader plugin but I guess there won’t be such issues if the restrictions would be comparable to limited accounts (AFAIK something that happens by defaut on Vista)
Groups:
DOMAIN\Domain Users
Everyone
BUILTIN\Administrators [Deny only]
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
Privileges: SeChangeNotifyPrivilege
Perhaps the dafault implementation for XP could be reworked to automatically limit baseline permissions to limited user for the main executable and all plugins.
My solution is to use PsExec.
C:\Program\PsExec\psexec.exe -l -d "C:\Program\COMODO\Dragon\dragon.exe" -safe-plugins -trusted-plugins=nppdf32.dll
Adobe Reader works fine “limited” (=LUA), so it could be a good compromise to run all plugins limited. 
Indeed. I did that as well and ATM I’m testing some changes to the registry to have such command enabled by default for most open commands (eg Clients\StartMenuInternet, \ChromeHTM etc) Hope it works :-TU
Ow! I didn’t think about that 
I actually edited most places in the registry where the browser command was specified. (sigh)
Hi guys,
Something simple you could add in the “options - personnal data” is = erase all my traces when leaving CD
it’s very useful to be sure that someone using the pc after you will not be able to see what you’ve done.
Regards
Gillou
Smooth scrolling. :-TU
CD like CVE have a database of trusted domains by Comodo, but some web sites I use aren’t trust, and i think it will be boring to post all domains I want to be trusted.
What about a cloud ? Like CIS for safe and unsafe applications. If CD don’t know about a domain, it asks to Comodo server, send new domain name or have an answer about if it is safe or not.
Comodo team will just have to check and certify domain name and add them to CD at next release like CIS for applications or in the cloud.
password manager for stored passwords. O0
try to make WOT work with dragon cuse mine currently doesnt work :-TU ???
+1
As I am concerned with privacy, I decided to give Dragon a test. I went to
And tested. While my results with Dragon were not ‘unique’, meaning that my browser could be identified and tracked, Dragon did not do as well as Opera in protecting my privacy. I would have thought the opposite to be true. I suggest that the developers make improvements in this area.