Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: What am I missing concerning Chromium and potential cross site scripting?

  1. #11
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    It all started when they removed the "Don't be evil" moto. Seems their moto is now, "see what we can get away doing".
    Actually, you are right there.
    Quote Originally Posted by TheFu View Post
    Just yesterday…
    True, that. I withdraw my comments.
    Quote Originally Posted by TheFu View Post
    Is that a company that should be trusted?
    No, but please name a giant company that can be trusted! At least it's not as godawful as Amazon, the way it treats its workers.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  2. #12
    Join Date
    Jan 2018
    Beans
    102

    Re: What am I missing concerning Chromium and potential cross site scripting?

    So apparently cross site scripting has various levels of severity.

    XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise.
    https://owasp.org/www-community/attacks/xss/

    and

    The impact of XSS is moderate for reflected and DOM XSS, and severe for stored XSS, with remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering malware to the victim.
    https://owasp.org/www-project-top-te...cripting_(XSS)

    So I'm sure this factors into Ubuntu's CVE Priorities.

    And apparently cross site scripting is not strictly medium. I found a couple of cross site scripting CVEs on the Ubuntu CVE tracker which were rated high. And over 300 rated low.

    https://ubuntu.com/security/cves?q=X...rsion=&status=

    But then ian-weisser did say that the CVE Priorities were merely guidelines.

    https://ubuntuforums.org/showthread....9#post14123529

    Still, the vast majority of cross site scripting cves do seem to be medium so I'm not sure that these observations help answer my questions.
    Last edited by donald187; January 5th, 2024 at 09:11 PM.

  3. #13
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Just turn off all XSS everywhere and be done with it. Any website that doesn't work without XSS off is one that home users don't need to visit.

    If it is required for a work-related webapp, then you shouldn't be using any of your own equipment and the company is responsible for everything. If they allow it for any reason, including ignorance, it is their fault, not yours.

    XSS has been a known attack vector for about 15 yrs. We have choice. We don't need to accept defaults if we disagree with them. We don't have to use webapps that are security and/or privacy risks. We don't have to use programs that don't meet our security requirements. Sometimes I use lynx for browsing. Sometimes I will use a web-site cloning tool to grab a specific page I want from a website - outside using any browser. We don't have to use javascript either.

    These things are all our choices to make. Nobody else can make them for us, at least at home. It is fine to disagree with others. We each have different needs.

  4. #14
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    Any website that doesn't work without XSS off is one that home users don't need to visit.
    I think that you meant "with", not "without"?
    Quote Originally Posted by TheFu View Post
    Just turn off all XSS everywhere and be done with it.
    Agreed. My websites explicitly forbid XSS altogether.
    Quote Originally Posted by TheFu View Post
    We don't have to use javascript either.
    That one is really hard! I use a CMS (content management system), specifically WordPress, to generate my websites, and that's impossible without JavaScript, unfortunately.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  5. #15
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by Paddy Landau View Post
    That one is really hard! I use a CMS (content management system), specifically WordPress, to generate my websites, and that's impossible without JavaScript, unfortunately.
    https://www.schneier.com/blog/archiv...zero-days.html It uses Javascript to get root. JavaScript is very complicated. The barrier to entry for programming it is extremely low. Just because something works, that doesn't mean it is secure. Sure, that was an Apple/iOS (not Cisco) issue, but javascript is problematic for many security reasons. I'd rather not allow random people in the world to run their code on my systems.

    My default browser setup denies javascript and it generally works to consume content. I don't use a browser for videos or audio mainly for security reasons, so there's little need for javascript to be allowed from random websites. Heck, even on these forums, I disallow a number of unnecessary sites from running javascript. Sometimes there is a small change and things break. Nobody said security was free.

    On my blog, there is some javascript used - mainly for analytics and for posting. If you don't allow javascript, that's 100% fine with me. 99.999% of the content will still be shown. Analytics help me to make decisions. I don't outsource it. That would be breaking the trust, considering people are visiting my home, literally, when they come to my blog. I demand very few things of visitors, but proper behavior is enforced, sometimes. There are some really nasty people in the world. This morning, I was reviewing anomalous log lines and saw a new attack. It was getting farther than I expected, but since I have multiple layers of security, it was blocked. The subnet their traffic originated from is now blocked. Sorry for everyone else caught in that same subnet. It was only a /20, so not overly huge. It was from a reputable VPS company, so their account will be terminated soon, if it hasn't already been by the VPS guys. The VPS doesn't want to be notified, it seems since their "abuse" email address doesn't work. I don't use them, but did consider them in my final 2 choices. It really came down to a flip of the coin for which VPS I'd use. OTOH, moving to a new VPS isn't a big deal to me. The actual "work" would be about 10 minutes, with the DNS updates forcing the longest delays.

  6. #16
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    My default browser setup denies javascript and it generally works to consume content.
    Intrigued, I decided to test this on my own website. It mostly works without Javascript, although the website doesn't look quite as "pretty". The contact form (presumably because of the anti-spam measures) and some of the buttons such as the "phone" button, don't work.

    (Edited to correct "Javascript")
    Last edited by Paddy Landau; January 4th, 2024 at 06:38 PM. Reason: Make a correction
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  7. #17
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Details matter.

    Java and JavaScript are two COMPLETELY DIFFERENT languages.

    Java-based websites/webapps need a JRE on the client-side to work at all. I haven't installed any JRE over a decade.

    Around 1994, I was working in a govt lab writing cross-platform C++ and some guys from SunMicrosytems came for a visit and exchange. It was dev to dev stuff - which had everyone on my team installing a JRE and running little java applications, copying the binaries to every platform we had (about 15 different platforms) and running the java programs. They were slow and bloated. The Sun devs said that would be addressed with tighter code and better performance. 29 yrs later and I'm still waiting.

    JavaScript was Mozilla's attempt to leverage Java's good press (at the time) for being secure. They look a little like each other, but are vastly different.

    Do you really have a phone button on your website? Is it a $15/minute number? I've thought about setting one of those up as my main phone number to give out. I really hate phones since I was on-call 24/7/365 for 5 yrs - not allowed to leave the city. Text is even worse.

  8. #18
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    Details matter.

    Java and JavaScript are two COMPLETELY DIFFERENT languages.
    Aargh! I meant to write "Javascript". I have no idea why I wrote "Java" and then failed to pick it up when proofreading.

    It was Javascript, not Java, that I disabled.
    Quote Originally Posted by TheFu View Post
    Do you really have a phone button on your website?
    Uh, yes, lots of websites do. It used to work from Chrome on the desktop or laptop: Press the button, and (after asking for confirmation) your Android mobile phone would dial it. (That assumes that you have logged into Google on both devices.) Chrome since removed that functionality, who knows why, but it still works if you press the button on the phone's browser itself. I believe that it works on both Android and iOS.

    You've been missing out by disabling Javascript!
    Quote Originally Posted by TheFu View Post
    Is it a $15/minute number?
    No, ha ha! That sort of thing is very uncommon here in the UK, and tightly regulated. Mine is just a normal landline. It saves the person from having to type the number on their phone: Just press a button and it dials.
    Quote Originally Posted by TheFu View Post
    I really hate phones since I was on-call 24/7/365 for 5 yrs - not allowed to leave the city.
    Oof, that sounds dire. I've been on 24-hour call at times in my life, but always for a restricted number of days. Once, I was extremely tired, and late that night, I woke up to realise that I was on the phone (this was in the days before mobile phones had been invented). The person who had called me was saying in a concerned voice, "Paddy, are you awake?" I wasn't awake up until that moment!
    Quote Originally Posted by TheFu View Post
    Text is even worse.
    How do you cope in today's world?!
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  9. #19
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by Paddy Landau View Post
    Aargh! I meant to write "Javascript". I have no idea why I wrote "Java" and then failed to pick it up when proofreading.

    It was Javascript, not Java, that I disabled.
    I've made similar mistakes thousands of times here. I drop words or end ideas in the middle of a post all the time.

    Quote Originally Posted by Paddy Landau View Post
    Uh, yes, lots of websites do. It used to work from Chrome on the desktop or laptop: Press the button, and (after asking for confirmation) your Android mobile phone would dial it. (That assumes that you have logged into Google on both devices.) Chrome since removed that functionality, who knows why, but it still works if you press the button on the phone's browser itself. I believe that it works on both Android and iOS.
    The "tel:" URL works without javascript. From what I've seen, javascript is abused about 85% of the time when it isn't necessary, even for websites that appear dynamic with a mouse-over toggle for each menu area using CSS. It is only Ajax stuff that needs javascrript, IME.

    Quote Originally Posted by Paddy Landau View Post
    You've been missing out by disabling Javascript!
    Nope. I don't have any FOMO here.

    Quote Originally Posted by Paddy Landau View Post
    No, ha ha! That sort of thing is very uncommon here in the UK, and tightly regulated. Mine is just a normal landline. It saves the person from having to type the number on their phone: Just press a button and it dials.
    There's a URL - "tel:" ... just like the "mailto:" URL. These have been around since HTML2, I think. If someone needs to communicate with me and they aren't 1 of about 15 close family/friends, they can leave a message on the home phone or email or send a letter. There's no other method. I don't get texts. They are blocked. It has caused issues for some contractors wanting to work with me. They'd assume I had a cell phone number, which I don't. I have a cell phone, but it is used as a small tablet, wifi controller, SIP phone and GPS. It is not connected to a network very often, unless I'm traveling to somewhere I've never been before. Then I'll get a 7 day, $10, data-only, plan in the location.

    Quote Originally Posted by Paddy Landau View Post
    Oof, that sounds dire. I've been on 24-hour call at times in my life, but always for a restricted number of days. Once, I was extremely tired, and late that night, I woke up to realise that I was on the phone (this was in the days before mobile phones had been invented). The person who had called me was saying in a concerned voice, "Paddy, are you awake?" I wasn't awake up until that moment!
    I will never be on-call in that way again. I had no replacement for those years, actually, until I forced it by leaving. Nobody in my team had the same access levels I had for secure networks. We all worked for different companies. Lives were on the line.

    Quote Originally Posted by Paddy Landau View Post
    How do you cope in today's world?!
    I don't understand the question. Cellphones and texting aren't a requirement for anything that I know about.

  10. #20
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    The "tel:" URL works without javascript.
    Ugh, of course, you are absolutely correct. I just didn't see it properly without the Javascript.

    The system that I use is designed for people like me who need something to do the work on my behalf. The days of me programming websites is about 3 decades ago, and anyway I don't have the time. I think that that's why it uses Javascript. The site also uses Javascript to hide the email address from bots; without Javascript, the user has to go to the Contact page to find my telephone number, as the email address is hidden, and the contact form isn't displayed.
    Quote Originally Posted by TheFu View Post
    I don't understand the question. Cellphones and texting aren't a requirement for anything that I know about.
    Ha ha, that's a lovely reply. I was thinking just the other day about how complex our lives have become, and how it would help people — and the planet — to revert to a simpler lifestyle. It sounds as though you've managed to do that pretty well!
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •