On Fri, May 15, 2015 at 11:45:47PM +0900, Lodewijk andré de la porte wrote:
Noscript is admission of failure to sandbox, and a step away from webapplications.
webapplications are simple development cost externalisations by the VC vultures and their startup slaves and js are a perfect tool in gathering more private information to sell that. webapplications shouldn't exist in the first place, there's OS level binaries that should be used instead. but i totally understand that the time-to-market and the RoI of hiring a bunch of dumb jsdevs is greatly more profitable than doing it right. the incentives of the system subvert and cannibalize the system itself. omnomnom. since you addressed sandboxing, i'm much more of a fan of reducing the attack surface than sandboxing. sandboxing should be only used in a defense-in-depth setup, with other factors being more important, like reducing all the layers of cruft underneath. also lets not forget that the security in browsers is like the security offered by tls, it's mostly in the interest of the industries, not the users sitting behind the browsers. sandboxing in chrome for example is good enough for the startups to not leech the data in other tabs, but looking at the results of various exploit compos confirms that the more resourceful attackers are not much deterred by the sandboxing. whereas noscript is indeed in the interest of the user, not the industries. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt