Email or username:

Password:

Forgot your password?
CatSalad馃悎馃 (D.Burch) :blobcatrainbow:'s posts Post Back to profile
Top-level
Simon D眉ckert

@mathew @ljrk @catsalad @mozilla @torproject @eff Time to say goodbye to Chrome. Is Chromium also affected?

18 Nov 2023 at 7:18 | Wall-to-wall | Open on chaos.social
5 comments
folti

@sdueckert @mathew @ljrk @catsalad @mozilla @torproject @eff it's de facto managed by the Google Chrome team as the base of Chrome. So don't expect anything else from it than from Chrome. Some other browsers based on it pledged to either retain V2 support, or implement their own adblock features (Brave, Opera, Vivaldi), while others don't, like Microsoft Edge who already stopped supporting V2.

19 Nov 2023 at 12:54 | Open on infosec.exchange
FamilyCyclist
lj路rk

@FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Yup, if nothing changes, the code will not only be disabled but removed from the code base and maintaining a fork that keeps it is unrealistic.

tbqf, the fundamental idea of MV3 isn't bad: Allowing for near arbitrary scripts to execute in the browser, fetched automatically from remote servers is basically a critical RCE vulnerability by design. The move to declarative filters and reimplementing the filtering code itself in native code is a good move and even speeds up filtering! It's something we, usually, should cheer!

Unfortunately Google decided to have a rather restricted set of API filtering features available that don't aren't sufficient to reimplement uBO in this declarative way, and also put arbitrary restrictions on foreign filtering rules. It's a gift, but a poisoned one.

@FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Yup, if nothing changes, the code will not only be disabled but removed from the code base and maintaining a fork that keeps it is unrealistic.

tbqf, the fundamental idea of MV3 isn't bad: Allowing for near arbitrary scripts to execute in the browser, fetched automatically from remote servers is basically a critical RCE vulnerability by design. The move to declarative filters and reimplementing the filtering code itself in native...

31 January at 8:24 | Open on todon.eu
mkind

@ljrk @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Execute code from a remote source is the whole idea of the web. That's the design idea. The CSP allows mitigating arbitrary exec though.

31 January at 10:00 | Open on chaos.social
lj路rk

@mkind @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Well, it's the idea of the web since Javascript -- at least depending on your definition of "executing code". But I'd argue viewing an HTML file is not executing remote code but local code that's interpreting a declarative(!) file, just like viewing a PNG; I wouldn't call either executing remote code.

That being said, running code from a website is still less of a problem than an extension, since the website's code (barring exploits) can only exfiltrate data I give/enter the website the data anyway. The extension can, in theory, exfiltrate data from any website.

@mkind @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Well, it's the idea of the web since Javascript -- at least depending on your definition of "executing code". But I'd argue viewing an HTML file is not executing remote code but local code that's interpreting a declarative(!) file, just like viewing a PNG; I wouldn't call either executing remote code.

31 January at 10:33 | Open on todon.eu
Go Up