Skip to main content


One of the things that is destroying the web is WASM and JavaScript.

This isn't really even a joke - it's literal.

By having all these tools to make a web browser have unfettered access to the system, it becomes unsafe to allow users to generate arbitrary code. We can't have another MySpace or NeoPets User Lookup because we can't allow users to write their own HTML, because that's *dangerous*.

in reply to silverwizard

The problem is literally that the Web Browser no longer is a web platform. It's a code interpreter. The limits of the web lead to safety. XSS is a consequence of a failure.
in reply to silverwizard

I don't know what Roblox is doing - but I think Roblox is maybe the birthplace of hackers?
in reply to silverwizard

I do know, or knew at least, and it absolutely is a little hacker incubator and also a massive threat vector.
in reply to Andrew (Television Executive)

@Andrew (Television Executive) I feel like all of the good hacker incubators are massive threat vectors. But the People Make Games video made it seem suspicious as hell.
in reply to silverwizard

I haven't seen the video, but I worked in reliability there for half a decade.

Reliability and security on that platform (not to mention safety) are huge unsolved problems.

in reply to silverwizard

BBS > Neopets > roblox. The hacker incubation evolution.

silverwizard reshared this.

in reply to silverwizard

I wonder if there's a way to say "do not run scripts in this frame, no matter how they come to be there". And then strip out script tags and things, of course, but also then if they find a way to embed a script that you didn't think of, it wouldn't get run.
in reply to silverwizard

@silverwizard @Frost, Wolffucker 🐺 Isn’t that CORS? You can disable inline JS, limit JS inclusion from known domains, etc…
This entry was edited (1 month ago)
in reply to Hypolite Petovan

@Hypolite Petovan @Frost, Wolffucker 🐺:therian: CORS allows you to limit cross domain resources. But I can mine bitcoin on your CPU without any cross domain anything. Hell, in theory,I might be able to send spam that way! I can definitely steal your credit card number.

But if I could just add a X-No-Dynamism header that would say "this HTTP session does not send JS or WASM", I could keep everything on my site safe.

I could let users write pretty unfiltered HTML, and most of the tricks would be contained in a frame.

in reply to silverwizard

@silverwizard It should, if it is restrictive enough. What is the specific use case you have in mind?
in reply to Hypolite Petovan

@Hypolite Petovan Does that block local scripts? I thought it didn't? I don't have a spare webserver I feel safe rewriting headers on right now.
in reply to Hypolite Petovan

@Hypolite Petovan So if I send:
Content-Security-Policy: script-src: 'none'

<html>
<script>alert("OH NO");</script>
</html>

With a valid Content-Length and junk

Would that work?

in reply to silverwizard

@Hypolite Petovan Ok - actually

I ran
cat test.txt | nc -l -p 2000
with test.txt containing

HTTP/1.0 200 OK
Date: Tue, 22 Oct 2024 19:27:37 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 486
Location: localhost
Content-Security-Policy: script-src: 'none'

<html>
<head>Hello</head>
<body>
<script>alert("OH NO");</script>
</body>
</html>

(Ignore the fake content length)

I then pointed my browser (librewolf) at it, and it saw these response headers:

HTTP/1 200 OK
Date: Tue, 22 Oct 2024 19:27:37 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 486
Location: localhost
Content-Security-Policy: script-src: 'none'

And it popped up a popup saying "OH NO"

in reply to silverwizard

@Hypolite Petovan Ran it in Chrome and Firefox as well. Also changed the CSP to default-src: 'none' script-src: 'none' and got the same results in LibreWolf.
in reply to silverwizard

@silverwizard This is disheartening as CSP are supposed to address exactly that. Either it's malfunctioning or is too brittle to be used effectively, and neither are a good look.
in reply to Hypolite Petovan

@Hypolite Petovan I think it's just that browser vendors are unwilling to support them properly, and generally there's a generic trust in the local source. It's also complex as browers are also a mess of JS and local user scripts are a very normal part of browsing these days, since most people are using extensions to their browser.
in reply to silverwizard

@silverwizard I wrote this before you performed your netcat experiment! I'm not happy about the outcome!
in reply to Frost, Wolffucker 🐺:therian:

And there's evidently ways to do it safely, because JSFiddle and the like exists, but it apparently requires a whole separate domain like "githubusercontent.com" and that's probably too much complexity for, say, a forum/social media site where every post gets full HTML or whatever.
in reply to silverwizard

I would also argue that it enables the big corps to limit our freedoms with the computers we bought, by locking us to "the web".

Bare metal is freedom!
Even if people don't like C/C++/Rust/Go/Pascal, it is important that they exist, so others can have their native Python and Node.

I must admit that I do enjoy messing around with WASM, but now that I think of it, it's sort of me enjoying my own leach.

in reply to MontyOnTheRun

@MontyOnTheRun yeah! We can build these things! Build a limited web and unlimited world!

Remember never download a . exe from the web, but your safe otherwise!

in reply to silverwizard

is it safe to let users generate even arbitrary HTML? Was it ever safe to do so? Or did these sites just not care?
in reply to silverwizard

@valk It’s rare, but keyloggers and other funny things have happened. (css-tricks.com/css-security-vu…)
in reply to silverwizard

one could always hide a malicious / phishing link with an A tag. Or abuse image loading to track people (mitigatable now, but not back then.)
in reply to valkyrie_pilot

@valkyrie_pilot I mean, they could definitely add tracking, definitely. And as long as you wrap the page, phishing is harder. And phishing is so easy these days with hubspot wrapping all email links, and no one properly using URLs. I dunno. I hear the concern, and I get it, but it just feels unconvincing to me. I feel like it's an arguement that only applies to more sophisticated users.
in reply to silverwizard

i think the point i was trying to make is that you don't need scripts to do bad things. it's really hard to provide the flexibility you want to when allowing custom code without being unreasonably limiting. I don't think this is a fault of javascript, personally.
That said, I've gone on record saying javascript is overhated, so. Make of that what you will.
in reply to valkyrie_pilot

@valkyrie_pilot I personally think JavaScript is underhated. I think people don't think enough about the ways the Browser is now a platform. People feel safe with browsers, and that's not a good idea imo.

cy reshared this.

in reply to silverwizard

The browser *is* a platform. it's a really accessible, standardized, universal, open platform, too- if only we could agree to actually write effective and performant code for it.
It's not a perfect platform. But it's a hell of a lot better than... iOS... or Android... or Windows... or macOS... they're such terrible targets to build for and people use web tech for it anyway.
Unknown parent

@Brooke Vibber :blobcatpumpkin: I mean, the problem with the browser sandbox is that everything is in the browser sandbox. If your location, contacts, email, GPU, and notifications are all in the sandbox, pwning it *is* the crown jewels already. JS and WASM put those things inside the sandbox.

reshared this

Unknown parent

@Brooke Vibber :blobcatpumpkin: yeah! Limit the browser's capabilities and you shrink surface into a canvas!