<div dir="ltr">Mozilla confirms this bug is exploitable. I am making sure JavaScript is off by default and only enabled in pages where I want it to.<div><br></div><div><a href="https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-based-execution-vector-for-meltdown-and-spectre-attacks/">https://www.bleepingcomputer.com/news/security/mozilla-confirms-web-based-execution-vector-for-meltdown-and-spectre-attacks/</a><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 5, 2018 at 1:36 AM, der.hans <span dir="ltr"><<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Am 05. Jan, 2018 schwätzte Herminio Hernandez, Jr. so:<br>
<br>
moin moin,<br>
<br>
Yeah, JavaScript's annoying. I've been using NoScript to block it outright<br>
for years. I only allow certain sites to have JavaScript. Some of those<br>
sites only get JavaScript when I'm trying to checkout. Some get their own<br>
browser instance before I allow them to have JavaScript.<br>
<br>
Recently JavaScript has been used to do bitcoin mining via web browsers<br>
and it's had several security issues over the years.<br>
<br>
It can't escape the sandbox if it never runs :).<br>
<br>
ciao,<br>
<br>
der.hans<div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Damn Stallman was right again<br>
<br>
<a href="https://www.gnu.org/philosophy/po/javascript-trap.ja-en.html" rel="noreferrer" target="_blank">https://www.gnu.org/philosophy<wbr>/po/javascript-trap.ja-en.html</a><br>
<br>
On Thu, Jan 4, 2018 at 10:52 PM, Andrew McRobb <<a href="mailto:andrewmcrobb@gmail.com" target="_blank">andrewmcrobb@gmail.com</a>><br>
wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
JavaScript being the Raccoon? heh<br>
<br>
Andrew McRobb<br>
Full-time Software Developer<br>
Part-time Freelancer<br>
<a href="http://mcrobb.info" rel="noreferrer" target="_blank">mcrobb.info</a><br>
<br>
On Thu, Jan 4, 2018 at 8:46 PM, Ed <<a href="mailto:plug@0x1b.com" target="_blank">plug@0x1b.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
More like raccoons to oranges...<br>
8)<br>
<br>
On Thu, Jan 4, 2018 at 4:59 PM, der.hans <<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 04. Jan, 2018 schwätzte Andrew McRobb so:<br>
<br>
moin moin Andrew,<br>
<br>
cool, sounds like having umatrix or NoScript blocking javascript is<br>
</blockquote>
still<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
sufficient.<br>
<br>
Need to make sure <script> is blocked as well as the external JS.<br>
<br>
<a href="https://www.w3schools.com/html/html_scripts.asp" rel="noreferrer" target="_blank">https://www.w3schools.com/html<wbr>/html_scripts.asp</a><br>
<br>
ciao,<br>
<br>
der.hans<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
No, HTML5 is a markup at the end of the day. Comparing JS and HTML, is<br>
like<br>
comparing apples to oranges. All HTML5 does is include new tags to use<br>
when<br>
building a web app for you or search engines to use:<br>
<a href="https://www.w3schools.com/html/html5_intro.asp" rel="noreferrer" target="_blank">https://www.w3schools.com/html<wbr>/html5_intro.asp</a>. It doesn't at all<br>
</blockquote></blockquote>
handle<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
any logic like JS would, if that's what you are asking.<br>
<br>
Same can almost go for CSS. It's a description language, it doesn't<br>
</blockquote></blockquote>
handle<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
any logic (except for select queries). However, CSS is starting to<br>
implement variables, but you can only use those for *attributes*. Not<br>
write<br>
<br>
a fully functional app with CSS alone.<br>
<br>
Andrew McRobb<br>
Full-time Software Developer<br>
Part-time Freelancer<br>
<a href="http://mcrobb.info" rel="noreferrer" target="_blank">mcrobb.info</a><br>
<br>
On Thu, Jan 4, 2018 at 10:21 AM, der.hans <<a href="mailto:PLUGd@lufthans.com" target="_blank">PLUGd@lufthans.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
moin moin,<br>
<br>
I haven't paid much attention to HTML and CSS standards for many<br>
</blockquote></blockquote></blockquote>
years.<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
As I understand it, HTML5 is script-like to lesson use of javascript.<br>
<br>
Does that mean plain HTML ( no javascript ) is sufficient to exploit<br>
browsers in light of #meltdown and #spectre ?<br>
<br>
<a href="https://blog.mozilla.org/security/2018/01/03/mitigations-" rel="noreferrer" target="_blank">https://blog.mozilla.org/secur<wbr>ity/2018/01/03/mitigations-</a><br>
landing-new-class-timing-attac<wbr>k/<br>
<br>
<a href="https://sites.google.com/a/chromium.org/dev/Home/chromium-" rel="noreferrer" target="_blank">https://sites.google.com/a/chr<wbr>omium.org/dev/Home/chromium-</a><br>
</blockquote></blockquote></blockquote>
security/ssca<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
What about CSS?<br>
<br>
ciao,<br>
<br>
der.hans<br>
--<br>
# <a href="https://www.LuftHans.com" rel="noreferrer" target="_blank">https://www.LuftHans.com</a> <a href="https://www.PhxLinux.org" rel="noreferrer" target="_blank">https://www.PhxLinux.org</a><br>
# As we enjoy great Advantages from the<br>
# Inventions of others we should be glad of an<br>
# Opportunity to serve others by any Invention of ours,<br>
# and this we should do freely and generously.<br>
# -- Benjamin Franklin (1706-1790), on his refusal to patent his<br>
inventions.<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
<br>
<br>
</blockquote>
<br>
--<br>
# <a href="https://www.LuftHans.com" rel="noreferrer" target="_blank">https://www.LuftHans.com</a> <a href="https://www.PhxLinux.org" rel="noreferrer" target="_blank">https://www.PhxLinux.org</a><br>
# Nobody grows old merely by living a number of years.<br>
# We grow old by deserting our ideals.<br>
# Years may wrinkle the skin, but to give up enthusiasm<br>
# wrinkles the soul. -- Samuel Ullman<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
<br>
</blockquote>
<br>
<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
<br>
</blockquote>
<br>
</blockquote>
<br>
-- <br>
# <a href="https://www.LuftHans.com" rel="noreferrer" target="_blank">https://www.LuftHans.com</a> <a href="https://www.PhxLinux.org" rel="noreferrer" target="_blank">https://www.PhxLinux.org</a><br></div></div>
# It's up to the reader to make the book interesting.<br>
# An author has only the opportunity to make it uninteresting. - der.hans<br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br></blockquote></div><br></div>