One of the things that is destroying the web is WASM and JavaScript.
This isn't really even a joke - it's literal.
By having all these tools to make a web browser have unfettered access to the system, it becomes unsafe to allow users to generate arbitrary code. We can't have another MySpace or NeoPets User Lookup because we can't allow users to write their own HTML, because that's *dangerous*.
like this
reshared this
silverwizard
in reply to silverwizard • •silverwizard
in reply to silverwizard • •Andrew (Television Executive)
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Andrew (Television Executive) • •Andrew (Television Executive)
in reply to silverwizard • • •I haven't seen the video, but I worked in reliability there for half a decade.
Reliability and security on that platform (not to mention safety) are huge unsolved problems.
silverwizard likes this.
silverwizard
in reply to Andrew (Television Executive) • •cy
in reply to Andrew (Television Executive) • • •silverwizard likes this.
j_angliss
in reply to silverwizard • • •silverwizard reshared this.
silverwizard
in reply to j_angliss • •Frost, Wolffucker 🐺:therian:
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Frost, Wolffucker 🐺:therian: • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •@Hypolite Petovan @Frost, Wolffucker 🐺:therian: CORS allows you to limit cross domain resources. But I can mine bitcoin on your CPU without any cross domain anything. Hell, in theory,I might be able to send spam that way! I can definitely steal your credit card number.
But if I could just add a X-No-Dynamism header that would say "this HTTP session does not send JS or WASM", I could keep everything on my site safe.
I could let users write pretty unfiltered HTML, and most of the tricks would be contained in a frame.
like this
Hypolite Petovan likes this.
Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •@Hypolite Petovan developer.mozilla.org/en-US/do…
Is there a way to say default-src: none? Or just set no valid sources? not as I recall
Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •@Hypolite Petovan So if I send:
Content-Security-Policy: script-src: 'none'
<html>
<script>alert("OH NO");</script>
</html>
With a valid Content-Length and junk
Would that work?
silverwizard
in reply to silverwizard • •@Hypolite Petovan Ok - actually
I ran
cat test.txt | nc -l -p 2000
with test.txt containing
(Ignore the fake content length)
I then pointed my browser (librewolf) at it, and it saw these response headers:
And it popped up a popup saying "OH NO"
silverwizard
in reply to silverwizard • •Hypolite Petovan
in reply to silverwizard • • •'self'
?silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan likes this.
Hypolite Petovan
in reply to silverwizard • • •unsafe-inline
policy is explicitly allowed.silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •Frost, Wolffucker 🐺:therian:
in reply to Frost, Wolffucker 🐺:therian: • • •silverwizard likes this.
silverwizard
in reply to Frost, Wolffucker 🐺:therian: • •MontyOnTheRun
in reply to silverwizard • • •I would also argue that it enables the big corps to limit our freedoms with the computers we bought, by locking us to "the web".
Bare metal is freedom!
Even if people don't like C/C++/Rust/Go/Pascal, it is important that they exist, so others can have their native Python and Node.
I must admit that I do enjoy messing around with WASM, but now that I think of it, it's sort of me enjoying my own leach.
silverwizard
in reply to MontyOnTheRun • •@MontyOnTheRun yeah! We can build these things! Build a limited web and unlimited world!
Remember never download a . exe from the web, but your safe otherwise!
valkyrie_pilot
in reply to silverwizard • • •silverwizard
in reply to valkyrie_pilot • •lifts
in reply to silverwizard • • •CSS Security Vulnerabilities | CSS-Tricks
Chris Coyier (CSS-Tricks)silverwizard
in reply to lifts • •valkyrie_pilot
in reply to silverwizard • • •silverwizard
in reply to valkyrie_pilot • •valkyrie_pilot
in reply to silverwizard • • •That said, I've gone on record saying javascript is overhated, so. Make of that what you will.
silverwizard
in reply to valkyrie_pilot • •like this
cy likes this.
cy reshared this.
cy
in reply to silverwizard • • •I am so using that
silverwizard likes this.
valkyrie_pilot
in reply to silverwizard • • •It's not a perfect platform. But it's a hell of a lot better than... iOS... or Android... or Windows... or macOS... they're such terrible targets to build for and people use web tech for it anyway.
silverwizard
Unknown parent • •like this
cy likes this.
reshared this
Preston Maness ☭ and cy reshared this.
Jonathan Lamothe
in reply to silverwizard • • •silverwizard likes this.
Brooke Vibber
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Brooke Vibber • •Sconient
in reply to silverwizard • • •Samy Kamkar - The MySpace Worm
samy.plsilverwizard
in reply to Sconient • •