Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: What am I missing concerning Chromium and potential cross site scripting?

  1. #21
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by Paddy Landau View Post
    Ha ha, that's a lovely reply. I was thinking just the other day about how complex our lives have become, and how it would help people — and the planet — to revert to a simpler lifestyle. It sounds as though you've managed to do that pretty well!
    We certainly have lots of modern trappings, it is just that cell connectivity isn't one.

  2. #22
    Join Date
    Jan 2018
    Beans
    103

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    Just turn off all XSS everywhere and be done with it. Any website that doesn't work without XSS off is one that home users don't need to visit.

    If it is required for a work-related webapp, then you shouldn't be using any of your own equipment and the company is responsible for everything. If they allow it for any reason, including ignorance, it is their fault, not yours.

    XSS has been a known attack vector for about 15 yrs. We have choice. We don't need to accept defaults if we disagree with them. We don't have to use webapps that are security and/or privacy risks. We don't have to use programs that don't meet our security requirements. Sometimes I use lynx for browsing. Sometimes I will use a web-site cloning tool to grab a specific page I want from a website - outside using any browser. We don't have to use javascript either.

    These things are all our choices to make. Nobody else can make them for us, at least at home. It is fine to disagree with others. We each have different needs.
    So I decided to try out the Firefox add-on NoScript. The ads didn't work on one site I frequent and I got a blank page on another site. I realize I could make adjustments to get these to work like I would like.

    Aside from that this is really more than I care to get into. In the future if I install Ubuntu again I'm more likely to just install Chrome as it has the rapid updates. Chromium was again three weeks out of date until just a couple of days ago.

    But thanks!

  3. #23
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    For sites you deem "good", enable javascript and allow it for the sub-pages you feel need it. The settings will be remembered and you'll be fine for a few years. Trustworthy websites running javascript is a much different thing than allowing random websites to run javascript.

    It is basically an "allow" when needed switch. If that is too difficult, fine. My 80+ yr old mother was able to handle it.

    Plus, nobody says you only need 1 browser for everything and that it 100% must be secure against every possible attacks. I only use firefox for generally safe browsing of known websites. For any unknown websites, I'll use a different browser that is running in a protected space, not allowed to touch the system it is running on.

    BTW, Canonical has decided to handle some of this by forcing snap-package versions onto end-users. I reject that. Actually, I switched my desktop to a non-Ubuntu system primarily due to their forcing the use of snap packages with constraints I have no control over. For me, those constraints are wrong and not sufficient to my needs. Sometimes I need less contraints and sometimes I need much more - "don't touch anything on the system" constraints. Snaps don't allow that.

    For banking, I do much more security and NEVER use my daily use browser + configuration for banking or other financial websites. I just don't.

  4. #24
    Join Date
    Jan 2018
    Beans
    103

    Re: What am I missing concerning Chromium and potential cross site scripting?

    It's not too difficult. I just don't care to do it. But thanks.

  5. #25
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    Snaps don't allow that.
    That's the one big objection that I have with snap. Fortunately, flatpak does allow that.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  6. #26
    Join Date
    Jan 2018
    Beans
    103

    Re: What am I missing concerning Chromium and potential cross site scripting?

    So I found something which although simplistic makes me feel better. I was looking for something in the cve priorities which would match up with Alex Murray's statement in the second post about medium, low, and negligible cves having smaller effects (or other conditions). In the cve priority definitions XSS is generally a medium cve. But if one XSS matched the "real problem" and "exploitable in the default configuration" criteria it would be prioritized as high. And there have been a couple of high XSS. So if you have a medium XSS which can be exploited in the default configuration then it must not be a "real problem". And so you have Alex Murray's smaller effect.

    Good enough.

    Medium Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.
    High Open vulnerability that is a real problem and is exploitable for many users in the default configuration of the affected software. Examples include serious remote denial of service of the system, local root privilege escalations or local data theft.
    https://people.canonical.com/~ubuntu.../priority.html
    Last edited by donald187; January 9th, 2024 at 09:04 PM.

Page 3 of 3 FirstFirst 123

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •