Why the Internet is so insecure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



https://github.com/whatwg/html/issues/2119

Major flaw in how the specification for window.opener() works resulting in a major phishing vulnerability that is cake to pull off.

The right solution isn't considered because it would break compatibility with the few number sites that depend upon the broken specification even though it would be simple for those sites to implement a secure method.

So instead the entire web is left with an extremely poor default and a crappy solution that won't be implemented by a large number of sites.

And that's why the Internet will remain a playground for con artists for years to come.

I've lost faith in the W3C. It's useless, time for a fork and a new standards body. Seriously.

BTW - the fix that W3C does endorse, the rel="noopener" attribute, if that's the best the W3C is willing to do, Red Hat better make sure it makes it into the ESR version of FireFox they ship or it will be vulnerable for some time.

The broken fix the W3C endorses isn't even set to make it into standard FireFox until FireFox 52. Which is odd because it is a serious security vulnerability. I'm worried it won't make it into ESR FireFox for some time. ESR often lags on features.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux