| ▲ | autoexec 10 hours ago |
| I already keep SVG disabled for security reasons, but it's increasingly looking like I'll have to find some way to disable CSS too. It's too bad people couldn't leave CSS alone as a nice simple (sort of) way to format text because turning it into another programing langue is begging for it to be abused by hackers and other malicious actors (like advertisers) just like JS |
|
| ▲ | bawolff 6 hours ago | parent | next [-] |
| > It's too bad people couldn't leave CSS alone as a nice simple (sort of) way to format text The base form of this attack goes back to the original CSS 1. Honestly you are massively overreacting. This type of attack was much much easier to pull off in the late 2000s then it is now. Its basically impossible in practise now a days. |
|
| ▲ | designerarvid 4 hours ago | parent | prev | next [-] |
| Maybe I’m a too much of a normie to understand, but surely keeping your secure data away from your browser must be better than securing the browser to the point that it stops working? |
| |
| ▲ | notachatbot123 3 hours ago | parent [-] | | Any service that is exposed as a website that has data which you would like to keep secure = potentially hacked through attacks like these. It's usually not possible to choose to not have data available on internet connected services sadly. | | |
| ▲ | designerarvid 2 hours ago | parent [-] | | Of course, by why not access those particular services in a more secure way? With other browser settings, another browser, or another machine altogether? Turning off JS permanently is like keeping your wallet in a safe you carry around all the time because once in a while you need to visit the dangerous parts of the town. | | |
| ▲ | djoldman 5 minutes ago | parent [-] | | I have JS off by default and click one button to turn it on per website. You might be surprised how much faster the web is and how often you don't need JS. |
|
|
|
|
| ▲ | VerifiedReports 3 hours ago | parent | prev | next [-] |
| What security reasons (other than that cited by this demo, which doesn't seem to work on most platforms)? |
|
| ▲ | paulpauper 9 hours ago | parent | prev | next [-] |
| nah, that is overkill. the probability of falling for this is still tiny and it cannot break the sandbox, steal session cookies, or anything like that . |
| |
| ▲ | autoexec 6 hours ago | parent [-] | | Sandbox escapes are discovered all the time (pretty sure I've read about a few just this past week) and there are a lot of other problems CSS can enable (ads, fingerprinting, etc) |
|
|
| ▲ | est 8 hours ago | parent | prev [-] |
| why not disable javascript once and for all. Most site shouldn't run any js after content is loaded. I hope there's something like <body onload="js.disable()"> I can only do it manually in DevTool. |
| |
| ▲ | rebane2001 3 hours ago | parent | next [-] | | As a user: Browsers let you manually disable JS, but you can also use an extension such as NoScript (I do). As a web developer: You can use Content Security Policy to limit or disable JS, as well as other resources such as CSS and images. | |
| ▲ | bawolff 6 hours ago | parent | prev | next [-] | | That's not relavent to the attack discussed in the article. These types of attacks do not involve javascript, nor could they due to the same origin policy. | |
| ▲ | pcthrowaway 6 hours ago | parent | prev | next [-] | | Why on earth would you want to load JS before content is loaded but not after? If you are able to assemble the page based on data sources before loading the page, you can just server-render the damn thing and disable JS altogether? JS is essential for polished UX when you have highly interactive components. Technically mapquest got server-rendered interactive maps working, but no one would choose that over the usability of Google Maps or OpenStreetMaps today | | |
| ▲ | est 4 hours ago | parent [-] | | > Why on earth would you want to load JS before content is loaded but not after? apparently, single-page-apps is an unstoppable trend. I tried to disable JS and 99% site won't work. But for content sites, after the article is loaded, disabling JS provides a much better reading experience. > but no one would choose that over the usability of Google Maps or OpenStreetMaps today That's a valid use for JS. But if you think about it, can we make a js free map tool using technics from OP's article? https://codepen.io/rebane2001/details/OPVQXMv |
| |
| ▲ | autoexec 6 hours ago | parent | prev | next [-] | | I've got noscript which at least keeps JS off by default and allows me to selectively enable scripts by domain. Now I just a similar tool for CSS. Something that whitelists a sane set of features that can't be used (at least as easily) for interactivity, ads, fingerprinting, and other malicious activity while letting me explicitly blacklist annoyances (like scrollbar styles or sticky headers). The way things are going I'll probably need something similar for HTML too. | |
| ▲ | kg 6 hours ago | parent | prev [-] | | Does JS protect against this particular attack? It seems like it's mostly implemented in CSS and SVG. |
|
