On Sat, Mar 07, 2020 at 11:55:59AM -0700, Luke A. Call wrote:
> On 03-07 19:19, whistlez...@riseup.net wrote:
[...]
> > As I know many sites without js doesn't work. Anyway I don't understand
> > how switching off js defend you from 0day browser bug.
> > Maybe you mean that because many 0day concern javascript ?
> 
> Yes, as well as the general category of speculative execution CPU
> attacks, rowhammer-type attacks, evercookies that use javascript, 
> and/or whatever else I don't know about that is enabled by javascript.
> It just seems to be required for many attacks that one reads about, over
> time, and given that trend, probably some future ones, all from
> downloading unknown code to run locally.  For those fewer times when I do
> enable it, I'm glad for OBSD's various protections, to further lower
> risk.


I think switching js off is one (very important) thing. But, there is
more of it. Which is why I try to not load page-provided fonts and css
at all. In css (or in certain browser-specific variation), one can
embed js code, and same with svg file. I wonder if switching js off in
browser would then result in not executing embedded js as well?

Another fun read: Krebbs describes how browser extension has been sold
by original author and then used by new owner to detect if user works
on Wordpress or Joomla. If so, the "Page Ruler" injected small js
snippet into edited webpage.

   
https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/

I guess extensions work even with js switched off...

Etc etc

-- 
Regards,
Tomasz Rola

--
** A C programmer asked whether computer had Buddha's nature.      **
** As the answer, master did "rm -rif" on the programmer's home    **
** directory. And then the C programmer became enlightened...      **
**                                                                 **
** Tomasz Rola          mailto:tomasz_r...@bigfoot.com             **

Reply via email to