 |
Post AnH4HQlzh7H6RsQUxE by [email protected] |
 |
More posts by [email protected] |
|
Post #AnEuT0AD48e1XQiCUi by [email protected] |
|
1 likes, 0 repeats |
|
|
|
One of the things that is destroying the web is WASM and JavaScript.This isn… |
|
|
|
Post #AnEv5JC6l6LXZ4rkga by [email protected] |
|
0 likes, 0 repeats |
|
|
|
The problem is literally that the Web Browser no longer is a web platform. It&#… |
|
|
|
Post #AnEzrKAEr6smI08uJ6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
I don't know what Roblox is doing - but I think Roblox is maybe the birthpl… |
|
|
|
Post #AnF3dMdLHFkbi7M2AC by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard I wonder if there's a way to say "do not run scripts in … |
|
|
|
Post #AnF3nLOWjqhOlQBRVg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@IceWolf I mean - I'd love to make tools to allow noscript sites. Sites tha… |
|
|
|
Post #AnF3zCM8AaVSCpiPJo by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard And there's evidently ways to do it safely, because JSFiddle … |
|
|
|
Post #AnF5v1j1x60PzAZ5uq by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@IceWolf I don't know what JSFiddle is doing - but I assume it's some s… |
|
|
|
Post #AnFBGjCA1jfcenMExU by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard I do know, or knew at least, and it absolutely is a little hacker… |
|
|
|
Post #AnFEMyZg3lXhxH1osy by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard because of failing to sandbox user HTML contexts from the web sit… |
|
|
|
Post #AnFEOstc8vbUvHGPLM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ajroach42 I feel like all of the good hacker incubators are massive threat vec… |
|
|
|
Post #AnFF7wiCnmcjmzPkSu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard I would also argue that it enables the big corps to limit our fre… |
|
|
|
Post #AnFFvMnoaRgatfbUbA by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard is it safe to let users generate even arbitrary HTML? Was it ever… |
|
|
|
Post #AnFI2ntETV0qqHoNuK by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@silverwizard BBS > Neopets > roblox. The hacker incubation evolution. |
|
|
|
Post #AnFI9rL03PsjYxAEMK by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@j_angliss Ya ain't wrong |
|
|
|
Post #AnFIOuH1QA4X0nTjBw by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard though to be fair the available sandboxing mechanisms for anythin… |
|
|
|
Post #AnFKGGug4tO0Wt2Nwu by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard I haven't seen the video, but I worked in reliability there f… |
|
|
|
Post #AnFKfQ2NI8sE4Dd2tE by [email protected] |
|
1 likes, 0 repeats |
|
|
|
One can only hope! |
|
|
|
Post #AnFLR0Ls5pJ8IxRGqG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@ajroach42 I hope they learn to take that seriously. But I bet neopets was just… |
|
|
|
Post #AnFSvln8ybUXnsoQNM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@valk why would styling be unsafe? |
|
|
|
Post #AnFT82cUEg8jTCg9uy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@brooke I mean, the problem with the browser sandbox is that everything is in t… |
|
|
|
Post #AnFTBQUxuatyOgm7Lk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@montyontherun yeah! We can build these things! Build a limited web and unlimit… |
|
|
|
Post #AnFTPF7szSefBHZHrE by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard I've been saying this since the late 90s. |
|
|
|
Post #AnFTxSOu8tWsCGqKLw by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@silverwizard it certainly increases the security surface to worry about :) |
|
|
|
Post #AnFV12q7DhF226qTGi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard @valk It’s rare, but keyloggers and other funny things have hap… |
|
|
|
Post #AnFVcOXPVcPE2luEee by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard one could always hide a malicious / phishing link with an A tag. … |
|
|
|
Post #AnFaXDDgf55HGR1qFc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@valk I mean, they could definitely add tracking, definitely. And as long as yo… |
|
|
|
Post #AnFaZWZxegrxsvY9K4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@brooke yeah! Limit the browser's capabilities and you shrink surface into … |
|
|
|
Post #AnFab9DnT89W1QxNIW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@lifts @valk right, CSS has grown to madness |
|
|
|
Post #AnFlehtw5OzbwZZC0u by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard i think the point i was trying to make is that you don't need… |
|
|
|
Post #AnGKuXY7q2LarpeNBg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@valk I personally think JavaScript is underhated. I think people don't thi… |
|
|
|
Post #AnGW01tVXjszvLTJD6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard @IceWolf Isn’t that CORS? You can disable inline JS, limit JS i… |
|
|
|
Post #AnGW025YovWkWj6vzs by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@hypolite @IceWolf CORS allows you to limit cross domain resources. But I can m… |
|
|
|
Post #AnGZEILTTVcurY2xZg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard @IceWolf Sorry, not CORS, I meant CSP. CSP allow you no to run in… |
|
|
|
Post #AnGZeY9NKrHHPSuHjs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite @IceWolf Does CSP let you reject javascript from the local domain? |
|
|
|
Post #AnGh2iY11rKsHmu3t2 by [email protected] |
|
1 likes, 0 repeats |
|
|
|
underhatedI am so using that |
|
|
|
Post #AnGjU3ksUJq3mq5K7c by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard it was already dangerous in the MySpace days. https://samy.pl/mys… |
|
|
|
Post #AnGjwc6iMR0cR7uktc by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@Sconient Oh yeah - JS existed ;) |
|
|
|
Post #AnGlEinIL1mOLG1sie by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard It should, if it is restrictive enough. What is the specific use … |
|
|
|
Post #AnGlXNpmUUEmq15hj6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Sec… |
|
|
|
Post #AnGrDx1GYwextda1uy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard “none” is a valid value for “script-src”. |
|
|
|
Post #AnGu0Gvg2cR1SD8QW8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite Does that block local scripts? I thought it didn't? I don't h… |
|
|
|
Post #AnH2BCbBHXCCqFGr9E by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard The browser *is* a platform. it's a really accessible, standa… |
|
|
|
Post #AnH2MoOJ6wi3Eomk2i by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard What do you call "local scripts"? |
|
|
|
Post #AnH3njWPQHuzuPyYZE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite So if I send:Content-Security-Policy: script-src: 'none'<h… |
|
|
|
Post #AnH4HQlzh7H6RsQUxE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite Ok - actuallyI rancat test.txt | nc -l -p 2000with test.txt containin… |
|
|
|
Post #AnH4bLIFmGIhFH0gYi by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite Ran it in Chrome and Firefox as well. Also changed the CSP to default… |
|
|
|
Post #AnH5uiMyIyj2Gr1Bpo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard The script won't run unless the unsafe-inline policy is expli… |
|
|
|
Post #AnH5wzrKFZml5pIvDs by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite But it ran! |
|
|
|
Post #AnH5zVYbMvV5yvkAhE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard How about with self? |
|
|
|
Post #AnH7FzTtyl27NSy7wO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@hypolite Trying adding self to any of the sources could not cause the script t… |
|
|
|
Post #AnHBg6HRiqCXoIqeWW by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard I wrote this before you performed your netcat experiment! I'… |
|
|
|
Post #AnHC04NyTb1Nj3QLZo by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@silverwizard This is disheartening as CSP are supposed to address exactly that… |
|
|
|
Post #AnHCwCCDaz3EkFdqc4 by [email protected] |
|
1 likes, 0 repeats |
|
|
|
@hypolite I think it's just that browser vendors are unwilling to support t… |
