All, I was unsure what scope of which list this issue falls under, so I decided to go with both lists that seem to pertain. I apologize if this is irrelevant to either one of the lists.
Currently, Javascript is one of the most widely used web technologies to currently exist, it is used on millions of websites. Websites use this technology to perform subrequests for dynamic content, provide enhanced interaction, menus, and so forth. However, there is a dark side of Javascript that needs addressing. Javascript engines are currently largely unaccountable and there's no real way to see what a javascript engine is doing within the context of browsers, especially through obfuscated javascript code. For a significant example of how Javascript has become out of control and out of hand: http://www.incapsula.com/blog/world-largest-site-xss-ddos-zombies.html Taking this example into account, users may not know without monitoring their network traffic that their browsers have been joined into the attack, where their browser may perform things without their knowledge or consent. The current black box model where the only control users have seems to be "On" or "Off" needs to end. "Off" is largely no longer an option given the fact so many websites demand and require Javascript to operate and will break without it. What needs to happen is that there needs to be a model, similar to the current Mozilla CAPS created where users may dictate what other websites a website may use Javascript to communicate with. Too, what needs to happen is for users to be able to restrict what websites may perform network operations or access what computer resources through Javascript. By "Computer resources" this includes things like the Javascript engine's ability to communicate with plugins (e.g. Flash) or to obtain information on resolution, fonts or other similar information. This also includes things like mouse position information or whether a page can capture the "onclick" or "onmouseover" events which can be used to be invasive to a user's privacy if the information is recorded for user behavior tracking. How CAPS fails here is that it requires you to find the specific call and in some cases, it seems some calls are immutable and obscured code makes it very difficult to determine what calls are used since Javascript often offers multiple methods to perform one action. At this point, add-ons are no longer sufficient to protect users, this needs to be a forced element into the core of browsers. Plugins will never have the level of hook access that that is needed and there will always be holes as these add-ons over-ride specific activities, they do not set the default actions by the core Javascript engine and not everything is hookable. While the highest options do not need to be enabled by default, those options absolutely need to be available at the minimum as again, the black box model is no longer acceptable from an information security perspective. Users need to be able to say "I don't want my browser to do this activity" and have that respected regardless if it breaks a feature of websites, while leaving the rest of Javascript to run. Given the inter-communication and intermingling of both legitimate and illegitimate websites through advertisement networks, hotlinking, exploits and so forth, the days where you "only visit websites you trust" have ended. Users need to be able to say "I don't want to be ever a part of this kind of attack" without having to lose a critical functionality of their browser. Thank you and Securely, -- Kradorex Xeron <[email protected]> Founder, Executive Director Digibase Operations, Research and Development _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
