On Sat, 14 Apr 2018 00:20:28 -0700 Samuel Sieb <samuel@xxxxxxxx> wrote: > On 04/12/2018 04:04 PM, Rick Stevens wrote: > > And again, if you don't allow your browser or mail client to install > > software (which is a spectacularly bad idea in the first place) and > > you're careful about which links you click and which packages you > > download and install, it's sort of a moot point. > > It's not about installing something. A website can run javascript on > your browser (unless you're using the mentioned javascript blockers > which cripple most sites). And apparently a website could have > javascript keep running even after you leave the site. This has > possibly been corrected by Firefox. I don't remember all the details. I think that closing the tab ends the javascript access for that site. But I'm running noscript, so it might be that it is noscript, and not firefox, enforcing that. I also run cookie autodelete, and that might end access for a site because any cookies it created are deleted when the tab is closed. I say this because when I close a tab for a site that I've logged into, and then open a new tab for it, I have to enable javascript and log in for that site again. This is complicated, because of the way the web works. If everything displayed in the browser was created by the foreign web server, it would be simpler, though slower. Allowing foreign software to run in the client browser is a security hole, because there will always be bugs, or unintended access routes, in complex software for the bad guys to exploit. The binary for firefox is about 80 MBytes (the hg source repository is over 4 GBytes), that's a lot of attack surface. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
