Re: Why the Internet is so insecure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 2016-11-30 at 02:33 -0800, Alice Wonder wrote:
> https://github.com/whatwg/html/issues/2119
> 
> Major flaw in how the specification for window.opener() works resulting 
> in a major phishing vulnerability that is cake to pull off.
> 
> The right solution isn't considered because it would break compatibility 
> with the few number sites that depend upon the broken specification even 
> though it would be simple for those sites to implement a secure method.
> 
> So instead the entire web is left with an extremely poor default and a 
> crappy solution that won't be implemented by a large number of sites.
> 
> And that's why the Internet will remain a playground for con artists for 
> years to come.
> 
> I've lost faith in the W3C. It's useless, time for a fork and a new 
> standards body. Seriously.
> 
> BTW - the fix that W3C does endorse, the rel="noopener" attribute, if 
> that's the best the W3C is willing to do, Red Hat better make sure it 
> makes it into the ESR version of FireFox they ship or it will be 
> vulnerable for some time.
> 
> The broken fix the W3C endorses isn't even set to make it into standard 
> FireFox until FireFox 52. Which is odd because it is a serious security 
> vulnerability. I'm worried it won't make it into ESR FireFox for some 
> time. ESR often lags on features.

Hi,

To answer the last paragraph. Firefox 52 ESR is scheduled for Q1 2017.

https://wiki.mozilla.org/RapidRelease/Calendar

Regards

Phil

-- 

Google+: https://goo.gl/CPjvNo
Blog: https://philwyett-hemi.blogspot.co.uk/
GitLab: https://gitlab.com/philwyett_hemi/


Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux