Skip to main content

One of the things that is destroying the web is WASM and JavaScript.

This isn't really even a joke - it's literal.

By having all these tools to make a web browser have unfettered access to the system, it becomes unsafe to allow users to generate arbitrary code. We can't have another MySpace or NeoPets User Lookup because we can't allow users to write their own HTML, because that's *dangerous*.

in reply to silverwizard

silverwizard
silverwizard
The problem is literally that the Web Browser no longer is a web platform. It's a code interpreter. The limits of the web lead to safety. XSS is a consequence of a failure.
in reply to silverwizard

silverwizard
silverwizard
I don't know what Roblox is doing - but I think Roblox is maybe the birthplace of hackers?
in reply to silverwizard

Andrew (Television Executive)
Andrew (Television Executive)
I do know, or knew at least, and it absolutely is a little hacker incubator and also a massive threat vector.
in reply to Andrew (Television Executive)

silverwizard
silverwizard
@Andrew (Television Executive) I feel like all of the good hacker incubators are massive threat vectors. But the People Make Games video made it seem suspicious as hell.
@Andrew (Television Executive)
in reply to silverwizard

Andrew (Television Executive)
Andrew (Television Executive)

I haven't seen the video, but I worked in reliability there for half a decade.

Reliability and security on that platform (not to mention safety) are huge unsolved problems.

in reply to silverwizard

j_angliss
j_angliss
BBS > Neopets > roblox. The hacker incubation evolution.

silverwizard reshared this.

in reply to silverwizard

Frost, Wolffucker 🐺:therian:
Frost, Wolffucker 🐺:therian:
I wonder if there's a way to say "do not run scripts in this frame, no matter how they come to be there". And then strip out script tags and things, of course, but also then if they find a way to embed a script that you didn't think of, it wouldn't get run.
in reply to Frost, Wolffucker 🐺:therian:

silverwizard
silverwizard
@Frost, Wolffucker 🐺:therian: I mean - I'd love to make tools to allow noscript sites. Sites that say "run not JS from me". It'd be so good as a header!
@Frost, Wolffucker 🐺:therian:
in reply to silverwizard

Hypolite Petovan
Hypolite Petovan
@silverwizard @Frost, Wolffucker 🐺 Isn’t that CORS? You can disable inline JS, limit JS inclusion from known domains, etc…
@Frost, Wolffucker 🐺:therian: @silverwizard
This entry was edited (4 weeks ago)
in reply to Hypolite Petovan

silverwizard
silverwizard

@Hypolite Petovan @Frost, Wolffucker 🐺:therian: CORS allows you to limit cross domain resources. But I can mine bitcoin on your CPU without any cross domain anything. Hell, in theory,I might be able to send spam that way! I can definitely steal your credit card number.

But if I could just add a X-No-Dynamism header that would say "this HTTP session does not send JS or WASM", I could keep everything on my site safe.

I could let users write pretty unfiltered HTML, and most of the tricks would be contained in a frame.

@Hypolite Petovan @Frost, Wolffucker 🐺:therian:
in reply to silverwizard

Hypolite Petovan
Hypolite Petovan
@silverwizard It should, if it is restrictive enough. What is the specific use case you have in mind?
@silverwizard
in reply to Hypolite Petovan

silverwizard
silverwizard
@Hypolite Petovan Does that block local scripts? I thought it didn't? I don't have a spare webserver I feel safe rewriting headers on right now.
@Hypolite Petovan
in reply to Hypolite Petovan

silverwizard
silverwizard

@Hypolite Petovan So if I send:
Content-Security-Policy: script-src: 'none'

<html>
<script>alert("OH NO");</script>
</html>

With a valid Content-Length and junk

Would that work?

@Hypolite Petovan
in reply to silverwizard

silverwizard
silverwizard

@Hypolite Petovan Ok - actually

I ran
cat test.txt | nc -l -p 2000
with test.txt containing

HTTP/1.0 200 OK
Date: Tue, 22 Oct 2024 19:27:37 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 486
Location: localhost
Content-Security-Policy: script-src: 'none'

<html>
<head>Hello</head>
<body>
<script>alert("OH NO");</script>
</body>
</html>

(Ignore the fake content length)

I then pointed my browser (librewolf) at it, and it saw these response headers:

HTTP/1 200 OK
Date: Tue, 22 Oct 2024 19:27:37 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 486
Location: localhost
Content-Security-Policy: script-src: 'none'

And it popped up a popup saying "OH NO"

@Hypolite Petovan
in reply to silverwizard

silverwizard
silverwizard
@Hypolite Petovan Ran it in Chrome and Firefox as well. Also changed the CSP to default-src: 'none' script-src: 'none' and got the same results in LibreWolf.
@Hypolite Petovan
in reply to silverwizard

Hypolite Petovan
Hypolite Petovan
@silverwizard This is disheartening as CSP are supposed to address exactly that. Either it's malfunctioning or is too brittle to be used effectively, and neither are a good look.
@silverwizard
in reply to Hypolite Petovan

silverwizard
silverwizard
@Hypolite Petovan I think it's just that browser vendors are unwilling to support them properly, and generally there's a generic trust in the local source. It's also complex as browers are also a mess of JS and local user scripts are a very normal part of browsing these days, since most people are using extensions to their browser.
@Hypolite Petovan
in reply to silverwizard

Hypolite Petovan
Hypolite Petovan
@silverwizard I wrote this before you performed your netcat experiment! I'm not happy about the outcome!
@silverwizard
in reply to Frost, Wolffucker 🐺:therian:

Frost, Wolffucker 🐺:therian:
Frost, Wolffucker 🐺:therian:
And there's evidently ways to do it safely, because JSFiddle and the like exists, but it apparently requires a whole separate domain like "githubusercontent.com" and that's probably too much complexity for, say, a forum/social media site where every post gets full HTML or whatever.
in reply to silverwizard

MontyOnTheRun
MontyOnTheRun

I would also argue that it enables the big corps to limit our freedoms with the computers we bought, by locking us to "the web".

Bare metal is freedom!
Even if people don't like C/C++/Rust/Go/Pascal, it is important that they exist, so others can have their native Python and Node.

I must admit that I do enjoy messing around with WASM, but now that I think of it, it's sort of me enjoying my own leach.

in reply to MontyOnTheRun

silverwizard
silverwizard

@MontyOnTheRun yeah! We can build these things! Build a limited web and unlimited world!

Remember never download a . exe from the web, but your safe otherwise!

@MontyOnTheRun
in reply to silverwizard

valkyrie_pilot
valkyrie_pilot
is it safe to let users generate even arbitrary HTML? Was it ever safe to do so? Or did these sites just not care?
in reply to valkyrie_pilot

silverwizard
silverwizard
@valkyrie_pilot why would styling be unsafe?
@valkyrie_pilot
in reply to silverwizard

lifts
lifts
@valk It’s rare, but keyloggers and other funny things have happened. (css-tricks.com/css-security-vu…)

CSS Security Vulnerabilities | CSS-Tricks

Don't read that headline and get worried. I don't think CSS is a particularly dangerous security concern and, for the most part, I don't think you need to
Chris Coyier (CSS-Tricks)
@valkyrie_pilot
in reply to silverwizard

valkyrie_pilot
valkyrie_pilot
one could always hide a malicious / phishing link with an A tag. Or abuse image loading to track people (mitigatable now, but not back then.)
in reply to valkyrie_pilot

silverwizard
silverwizard
@valkyrie_pilot I mean, they could definitely add tracking, definitely. And as long as you wrap the page, phishing is harder. And phishing is so easy these days with hubspot wrapping all email links, and no one properly using URLs. I dunno. I hear the concern, and I get it, but it just feels unconvincing to me. I feel like it's an arguement that only applies to more sophisticated users.
@valkyrie_pilot
in reply to silverwizard

valkyrie_pilot
valkyrie_pilot
i think the point i was trying to make is that you don't need scripts to do bad things. it's really hard to provide the flexibility you want to when allowing custom code without being unreasonably limiting. I don't think this is a fault of javascript, personally.
That said, I've gone on record saying javascript is overhated, so. Make of that what you will.
in reply to valkyrie_pilot

silverwizard
silverwizard
@valkyrie_pilot I personally think JavaScript is underhated. I think people don't think enough about the ways the Browser is now a platform. People feel safe with browsers, and that's not a good idea imo.
@valkyrie_pilot

cy reshared this.

in reply to silverwizard

valkyrie_pilot
valkyrie_pilot
The browser *is* a platform. it's a really accessible, standardized, universal, open platform, too- if only we could agree to actually write effective and performant code for it.
It's not a perfect platform. But it's a hell of a lot better than... iOS... or Android... or Windows... or macOS... they're such terrible targets to build for and people use web tech for it anyway.
Unknown parent

silverwizard
silverwizard
@Brooke Vibber :blobcatpumpkin: I mean, the problem with the browser sandbox is that everything is in the browser sandbox. If your location, contacts, email, GPU, and notifications are all in the sandbox, pwning it *is* the crown jewels already. JS and WASM put those things inside the sandbox.
@Brooke Vibber

reshared this

in reply to silverwizard

Brooke Vibber
Brooke Vibber
it certainly increases the security surface to worry about :)