Why JavaScript is bad and Pale Moon need a XSS filter again

For the more technical/geeky chat subjects!

Moderator: satrow

dark_moon

Why JavaScript is bad and Pale Moon need a XSS filter again

Postby dark_moon » Sun, 03 Sep 2017, 17:56

Cross-Site Scripting #3 Bad JavaScript Imports Vulnerability: http://blog.securelayer7.net/owasp-top- ... t-imports/

Nice comments on reddit too: https://www.reddit.com/r/netsec/comment ... t_imports/

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 20507
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby Moonchild » Sun, 03 Sep 2017, 18:05

JavaScript is not bad. Improper use of it is bad.
This is also not a browser issue but a web design issue.

Also, if you want to reintroduce the active XSS filter, then feel free to step right up and port the code forward to Pale Moon 27.
For all other uses, we have CORS and CSP to nip any XSS in the bud.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

User avatar
adesh
Lunatic
Lunatic
Posts: 351
Joined: Tue, 06 Jun 2017, 07:38

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby adesh » Sun, 03 Sep 2017, 18:36

FTR, NoScript provides XSS protection if you need it.

User avatar
Latitude
Astronaut
Astronaut
Posts: 516
Joined: Mon, 21 Mar 2016, 18:28

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby Latitude » Mon, 09 Oct 2017, 14:57

So, XSS technique could be used to reach a good purpose?

millpond
Newbie
Newbie
Posts: 5
Joined: Wed, 11 Oct 2017, 20:50

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby millpond » Wed, 11 Oct 2017, 23:03

Latitude wrote:So, XSS technique could be used to reach a good purpose?


Please define 'good'.

Personally I have a tendency to blacklist sites that cannot even maintain their own code. I believe the term for that is 'incompetent'.

The excuse that a site needs to cache similar code for multiple sites is a bit lame.
Becuase in reality, that code is typically annoying advertizing junk.

The arguments against it are more potent: How would you like to have your site break, because another site has went down.
I have seen this happen with jquery code that relied on a third party server (though JQuery itself does not suffer this problem - it downloads its scripts locally).

If site A needs to transfer control over to site B, as a website may do for PayPal, there should ALWAYS be a confirmation button.

From a users perspective, if I go to site A, and I am assuming it has earned my trust, I certainly do not want content from site B, which is usually an unknown entity. I have my blockers amped up to full throttle on this. My hosts file is over a meg.

At today's bandwith the few extra milliseconds for xferring needed scripts over should be inconsequential for a well designed site. And problematic for sites offering nothing but garbage requring excessive and atrocious multimedia effects-usually to get extra ratings for advertizing revenue, rather than for user benefits.

struppi
Moongazer
Moongazer
Posts: 12
Joined: Wed, 30 Nov 2016, 08:28

Re: Why JavaScript is bad and Pale Moon need a XSS filter again

Postby struppi » Thu, 09 Nov 2017, 06:53

I am great Fan of Javascript but I use JS filter since the beginning because of useless and annoying effects. The best protection against those attacks is uMatrix.

You can allow or forbid everything from every single URL (and even every URL different on different pages). And everything means cookies, javascript, css, images, frames, XHR, Media and "other". For experience user I recommend this AddOn


Return to “Technical chat”

Who is online

Users browsing this forum: No registered users and 1 guest