> %-> Physical access is not required:
> %-> 1. I can crash the browser by sending you a
> suitable html email bomb
> No need, if you have Win2K: just point your browser to a
> well-known site
> such as www.intel.com (no, I'm not kidding -- Intel's Web
> site crashes IE 5
> on my computer).
> %-> 2. Backoffice etc is sufficient to then retrieve
> the core/log file
> Using Backoffice would seem a bit extravagant... huge
> licensing fees ...
Sure, if you're in a networked environment where you can scoop arbitrary files off of a user's machine, then you don't need access to the machine. In this case, you're in a pretty sad environment security-wise.
Just so that no one reading this correspondence gets confused, I want to stress that in any case, the retrieved data does not leek any valid capabilities. The capabilities die with the HTTP session.
The only exception to this would be if someone could crash your computer, grab the core dump off your computer and search it for capabilities before the HTTP session terminates. If an attacker has this kind of power over your machine, I submit that you're toast under any security model.