Gregory's Server|
3 comments
@ljrk @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Execute code from a remote source is the whole idea of the web. That's the design idea. The CSP allows mitigating arbitrary exec though. |
|
3 comments
@ljrk @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Execute code from a remote source is the whole idea of the web. That's the design idea. The CSP allows mitigating arbitrary exec though. |
@FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Yup, if nothing changes, the code will not only be disabled but removed from the code base and maintaining a fork that keeps it is unrealistic.
tbqf, the fundamental idea of MV3 isn't bad: Allowing for near arbitrary scripts to execute in the browser, fetched automatically from remote servers is basically a critical RCE vulnerability by design. The move to declarative filters and reimplementing the filtering code itself in native code is a good move and even speeds up filtering! It's something we, usually, should cheer!
Unfortunately Google decided to have a rather restricted set of API filtering features available that don't aren't sufficient to reimplement uBO in this declarative way, and also put arbitrary restrictions on foreign filtering rules. It's a gift, but a poisoned one.
@FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Yup, if nothing changes, the code will not only be disabled but removed from the code base and maintaining a fork that keeps it is unrealistic.
tbqf, the fundamental idea of MV3 isn't bad: Allowing for near arbitrary scripts to execute in the browser, fetched automatically from remote servers is basically a critical RCE vulnerability by design. The move to declarative filters and reimplementing the filtering code itself in native...