flat assembler
Message board for the users of flat assembler.

Index > Heap > Why we should always disable JS, Wasm and Flash

Goto page Previous  1, 2, 3 ... 21, 22, 23
Author
Thread Post new topic Reply to topic
guignol



Joined: 06 Dec 2008
Posts: 666
guignol
btw, revō, where's that cool browser writ in fasm?
Post 30 Dec 2019, 09:43
View user's profile Send private message Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7572
Location: Kraków, Poland
Tomasz Grysztar
Post 19 Feb 2020, 15:46
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8653
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
gotta quit internet Very Happy , everybody got a mouse moving picture now, unless you move using tab
Post 19 Feb 2020, 16:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17010
Location: In your JS exploiting you and your system
revolution
Image tagging has been known for a long time. Those ETag values can be used as pseudo tracking cookies. The consequence of which is if you enable image caching then you have also enabled sites to track you with ETags. The solution it to disable images (or only whitelist images in sites you care about). And if you have done that then CSS :hover images will also be neutered.
Post 19 Feb 2020, 17:05
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7572
Location: Kraków, Poland
Tomasz Grysztar
revolution wrote:
The solution it to disable images (or only whitelist images in sites you care about). And if you have done that then CSS :hover images will also be neutered.
What about other kinds of resources that CSS can access? Like fonts, cursors, etc.
Post 19 Feb 2020, 17:13
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17010
Location: In your JS exploiting you and your system
revolution
Tomasz Grysztar wrote:
What about other kinds of resources that CSS can access? Like fonts, cursors, etc.
Those could be interesting vectors also.

For me personally I always used my own font. FF allows us to select a local font and ignore anything the site wants to give us.

I wasn't aware that sites could also set custom cursors.
Post 19 Feb 2020, 17:20
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 631
Location: Belarus
DimonSoft
revolution wrote:
Image tagging has been known for a long time. Those ETag values can be used as pseudo tracking cookies. The consequence of which is if you enable image caching then you have also enabled sites to track you with ETags. The solution it to disable images (or only whitelist images in sites you care about). And if you have done that then CSS :hover images will also be neutered.

But it’s CSS that gives access to this stuff! Why should we disable JS that gives access to certain things but not CSS?

---

It’s funny how people moved to looking for stuff that uses optimization effects. I doubt effects of optimization should be treated as security vulnerabilities but… Meltdown/Spectre, this stuff. I’m looking forward to measuring CPU temperature to find out whether particular branch executes or not.
Post 20 Feb 2020, 08:18
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 21, 22, 23

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.