Why JavaScript is bad and Pale Moon need a XSS filter again

For the more technical/geeky chat subjects!

Moderators: Indalecio, satrow

User avatar
dark_moon
Knows the dark side
Knows the dark side
Posts: 3641
Joined: Mon Jan 09, 2012 5:34 pm
Location: Germany

Why JavaScript is bad and Pale Moon need a XSS filter again

Postby dark_moon » Sun Sep 03, 2017 5:56 pm

Cross-Site Scripting #3 Bad JavaScript Imports Vulnerability: http://blog.securelayer7.net/owasp-top- ... t-imports/

Nice comments on reddit too: https://www.reddit.com/r/netsec/comment ... t_imports/
Happy Pale Moon x64 under Win7 x64 User
German translator for Pale Moon 15+ and Pale Moon Commander addon

HowTo create a new Pale Moon Profile & use the Safe Mode
My GPG Key: 0x01EAFE95

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19679
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby Moonchild » Sun Sep 03, 2017 6:05 pm

JavaScript is not bad. Improper use of it is bad.
This is also not a browser issue but a web design issue.

Also, if you want to reintroduce the active XSS filter, then feel free to step right up and port the code forward to Pale Moon 27.
For all other uses, we have CORS and CSP to nip any XSS in the bud.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

User avatar
adesh
Lunatic
Lunatic
Posts: 280
Joined: Tue Jun 06, 2017 7:38 am

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby adesh » Sun Sep 03, 2017 6:36 pm

FTR, NoScript provides XSS protection if you need it.

User avatar
Latitude
Lunatic
Lunatic
Posts: 469
Joined: Mon Mar 21, 2016 6:28 pm

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby Latitude » Mon Oct 09, 2017 2:57 pm

So, XSS technique could be used to reach a good purpose?

millpond
Newbie
Newbie
Posts: 5
Joined: Wed Oct 11, 2017 8:50 pm

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby millpond » Wed Oct 11, 2017 11:03 pm

Latitude wrote:So, XSS technique could be used to reach a good purpose?


Please define 'good'.

Personally I have a tendency to blacklist sites that cannot even maintain their own code. I believe the term for that is 'incompetent'.

The excuse that a site needs to cache similar code for multiple sites is a bit lame.
Becuase in reality, that code is typically annoying advertizing junk.

The arguments against it are more potent: How would you like to have your site break, because another site has went down.
I have seen this happen with jquery code that relied on a third party server (though JQuery itself does not suffer this problem - it downloads its scripts locally).

If site A needs to transfer control over to site B, as a website may do for PayPal, there should ALWAYS be a confirmation button.

From a users perspective, if I go to site A, and I am assuming it has earned my trust, I certainly do not want content from site B, which is usually an unknown entity. I have my blockers amped up to full throttle on this. My hosts file is over a meg.

At today's bandwith the few extra milliseconds for xferring needed scripts over should be inconsequential for a well designed site. And problematic for sites offering nothing but garbage requring excessive and atrocious multimedia effects-usually to get extra ratings for advertizing revenue, rather than for user benefits.


Return to “Technical chat”

Who is online

Users browsing this forum: No registered users and 2 guests