jd1008 wrote:> On 06/12/2015 07:28 AM, g wrote: >> On 06/10/2015 03:56 AM, Always Learning wrote: >>> I displayed, as a web page, a list of search results created in PHP, >>> from MySQL. >> i am still using 24.8.0 and do not have to contend with all the >> bugs introduced by moz dev and their 'bells and whistles' when >> they started try to get ahead of gaagle chrome web browser. >> >> you will get better results for your problems it you would post >> them to the mozilla-support-firefox at lists.mozilla.org which you >> can join subscribing to list at; >> >> https://lists.mozilla.org/listinfo/support-firefox >> >>> A candidate for upstream bugzilla ? >> maybe at mozilla.org, but not at centos.org. >> >> > The most offensive problems of using browsers is that > they do not tell you nor ask your permission when javascripts > spy on your entire storage contents. > I had asked a java developer at Sun Microsystems about > what Sun means when it says that Java runs in a sandbox? > Just what is the sandbox? > I also asked if browsers that execute javascripts are retricted > to this notion of a sandbox that does not leak out into > the rest of the system. > > He said the "sandbox" is the entire storage on your computer. > > Enough said.Please note that java and javascript are two separate languages.... And I have noscript installed everywhere.... mark
On Sat, Jun 13, 2015 at 10:55:47AM -0600, jd1008 wrote:> The most offensive problems of using browsers is that > they do not tell you nor ask your permission when javascripts > spy on your entire storage contents.Huh? You've been misinformed. Certainly there have been exploits against browsers to bypass the sandbox, but this isn't the default configuration in any browser I know of.> I had asked a java developer at Sun Microsystems about > what Sun means when it says that Java runs in a sandbox? > Just what is the sandbox? > I also asked if browsers that execute javascripts are retricted > to this notion of a sandbox that does not leak out into > the rest of the system. > > He said the "sandbox" is the entire storage on your computer.Java != JavaScript. It's a common misconception. Perhaps that's why this java developer might have answered the way he did, although I'm fairly certain Java sandboxes can also be restricted (although I'm no Java developer) so they don't have access to the entire storage of your computer. Certainly, simple UNIX permissions prevent both Java and browsers from getting access to the *entire* storage on your computer, unless they're used to exploit some other vulnerability. If you're concerned about JavaScript, I suggest looking into the NoScript firefox extension. -- Jonathan Billings <billings at negate.org>
On 06/13/2015 09:55 AM, jd1008 wrote:> The most offensive problems of using browsers is that > they do not tell you nor ask your permission when javascripts > spy on your entire storage contents.Neither javascript nor Java applets can access the local filesystem. Applets launched by JNLP can do so, but that involves a pop-up that asks the user's permission.> He said the "sandbox" is the entire storage on your computer.Misunderstandings do happen in natural language.
On Sat, 2015-06-13 at 10:55 -0600, jd1008 wrote:> The most offensive problems of using browsers is that > they do not tell you nor ask your permission when javascripts > spy on your entire storage contents. > I had asked a java developer at Sun Microsystems about > what Sun means when it says that Java runs in a sandbox? > Just what is the sandbox? > I also asked if browsers that execute javascripts are retricted > to this notion of a sandbox that does not leak out into > the rest of the system. > > He said the "sandbox" is the entire storage on your computer. > > Enough said.It is my understanding that Java and Javascript are different; that Java is dangerous whilst Javascript is (hopefully) harmless. -- Regards, Paul. England, EU. England's place is in the European Union.
On Fri, June 12, 2015 2:56 pm, Always Learning wrote:> > On Sat, 2015-06-13 at 10:55 -0600, jd1008 wrote: > >> The most offensive problems of using browsers is that >> they do not tell you nor ask your permission when javascripts >> spy on your entire storage contents. >> I had asked a java developer at Sun Microsystems about >> what Sun means when it says that Java runs in a sandbox? >> Just what is the sandbox? >> I also asked if browsers that execute javascripts are retricted >> to this notion of a sandbox that does not leak out into >> the rest of the system. >> >> He said the "sandbox" is the entire storage on your computer. >> >> Enough said. > > It is my understanding that Java and Javascript are different; that Java > is dangerous whilst Javascript is (hopefully) harmless. >Not necessarily. Both of them are an execution of somebody's else code on your computer. One (java) may be considered running with [much] more sophisticated interpreter. Another (javascript) by its nature has to be less sophisticated code, running with different interpreters written independently by each browser vendor (even though they all are javascript interpreters, the differ grossly). But the bottom line is the same: in both cases you are executing somebody's else code on your computer. Valeri> > -- > Regards, > > Paul. > England, EU. England's place is in the European Union. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Jun 12, 2015, at 1:56 PM, Always Learning <centos at u64.u22.net> wrote:> > It is my understanding that Java and Javascript are different;They?re as different as India and Indiana.> Java is dangerous whilst Javascript is (hopefully) harmless.That?s a pretty unsophisticated way to look at it. *Ideally*, Java is quite safe. It was designed with security in mind, and browser Java is much more tightly constrained in terms of what it can do than desktop, server, or embedded/mobile Java. Yet, there?s been a continuous stream of security updates to Java for the past 20 years, with no reason to believe this will slow down. Why? The big problem is those four major use scenarios for Java, all handled by one runtime. We keep finding ways for browser Java to do things that should only be possible in one of the other scenarios. If you trust the source of a Java applet, it?s probably fine to run it. But, I wouldn?t enable Java in the browser if you don?t know for a fact that you need it. Whitelists are probably the best ultimate solution, short of getting rid of Java entirely. As for JavaScript, there isn?t too much harm you can do with it directly. It doesn?t have all that desktop, enterprise, mobile, and embedded stuff built into it as with Java, so it doesn?t have to try to wall all of that off. The main point of blocking JavaScript is that it throws a spike strip in the path of many other types of attacks. For instance, a Flash exploit often relies on some JS probing code to run before it can run, so blocking JS provides a second layer of protection while you?re waiting for Adobe to get around to patching the Flash plugin. There is some minor evil possible directly from JavaScript. Some examples: * The original popup problem is largely solved, but now it?s resurfacing as main-page takeover ads. Block JS and you generally block these, too. * A script can probe your surfing history by dynamically generating hyperlinks in a hidden browser DOM, then checking how the browser styled those elements to infer whether you?ve clicked on that URL before. It?s a brute-force kind of thing, so it?s not too serious in practice, but it is a privacy leak.
On 06/12/2015 07:28 AM, g wrote:> > On 06/10/2015 03:56 AM, Always Learning wrote: >> I displayed, as a web page, a list of search results created in PHP, >> from MySQL. > i am still using 24.8.0 and do not have to contend with all the > bugs introduced by moz dev and their 'bells and whistles' when > they started try to get ahead of gaagle chrome web browser. > > you will get better results for your problems it you would post > them to the mozilla-support-firefox at lists.mozilla.org which you > can join subscribing to list at; > > https://lists.mozilla.org/listinfo/support-firefox > >> A candidate for upstream bugzilla ? > maybe at mozilla.org, but not at centos.org. > >The most offensive problems of using browsers is that they do not tell you nor ask your permission when javascripts spy on your entire storage contents. I had asked a java developer at Sun Microsystems about what Sun means when it says that Java runs in a sandbox? Just what is the sandbox? I also asked if browsers that execute javascripts are retricted to this notion of a sandbox that does not leak out into the rest of the system. He said the "sandbox" is the entire storage on your computer. Enough said.
On 06/12/2015 11:25 AM, m.roth at 5-cent.us wrote:> jd1008 wrote: >> On 06/12/2015 07:28 AM, g wrote: >>> On 06/10/2015 03:56 AM, Always Learning wrote: >>>> I displayed, as a web page, a list of search results created in PHP, >>>> from MySQL. >>> i am still using 24.8.0 and do not have to contend with all the >>> bugs introduced by moz dev and their 'bells and whistles' when >>> they started try to get ahead of gaagle chrome web browser. >>> >>> you will get better results for your problems it you would post >>> them to the mozilla-support-firefox at lists.mozilla.org which you >>> can join subscribing to list at; >>> >>> https://lists.mozilla.org/listinfo/support-firefox >>> >>>> A candidate for upstream bugzilla ? >>> maybe at mozilla.org, but not at centos.org. >>> >>> >> The most offensive problems of using browsers is that >> they do not tell you nor ask your permission when javascripts >> spy on your entire storage contents. >> I had asked a java developer at Sun Microsystems about >> what Sun means when it says that Java runs in a sandbox? >> Just what is the sandbox? >> I also asked if browsers that execute javascripts are retricted >> to this notion of a sandbox that does not leak out into >> the rest of the system. >> >> He said the "sandbox" is the entire storage on your computer. >> >> Enough said. > Please note that java and javascript are two separate languages.... And I > have noscript installed everywhere.... > > mark >Mark, please be aware that noscript has also a whitelist that is not viewable by the user. The whitelist tab does NOT list the hidden white listed entries.
On 06/12/2015 11:57 AM, Jonathan Billings wrote:> On Sat, Jun 13, 2015 at 10:55:47AM -0600, jd1008 wrote: >> The most offensive problems of using browsers is that >> they do not tell you nor ask your permission when javascripts >> spy on your entire storage contents. > Huh? You've been misinformed. Certainly there have been exploits > against browsers to bypass the sandbox, but this isn't the default > configuration in any browser I know of.guration or no,Configuration or no, the developer told me the bottom line scoop. FF, SM, IE, ....etc, all execute javascripts like obedient slaves.> >> I had asked a java developer at Sun Microsystems about >> what Sun means when it says that Java runs in a sandbox? >> Just what is the sandbox? >> I also asked if browsers that execute javascripts are retricted >> to this notion of a sandbox that does not leak out into >> the rest of the system. >> >> He said the "sandbox" is the entire storage on your computer. > Java != JavaScript. It's a common misconception. Perhaps that's why > this java developer might have answered the way he did, although I'm > fairly certain Java sandboxes can also be restricted (although I'm norowsers > Java developer) so they don't have access to the entire storage of > your computer. Certainly, simple UNIX permissions prevent both Java > and browsers from getting access to the *entire* storage on your > computer, unless they're used to exploit some other vulnerability. > > If you're concerned about JavaScript, I suggest looking into the > NoScript firefox extension.All your browsing history, all cookies ...etc are open books as far as many javascripts are concerned. For example, all browsers execute the javascript called googleusercontent.com Please read this page: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com Be INFORMED!!
On 06/12/2015 12:58 PM, Gordon Messmer wrote:> On 06/13/2015 09:55 AM, jd1008 wrote: >> The most offensive problems of using browsers is that >> they do not tell you nor ask your permission when javascripts >> spy on your entire storage contents. > > Neither javascript nor Java applets can access the local filesystem. > Applets launched by JNLP can do so, but that involves a pop-up that > asks the user's permission. > >> He said the "sandbox" is the entire storage on your computer. > > Misunderstandings do happen in natural language.NOP!! He stated NO misunderstanding. I think you are simply repeating you have learned NOT by actually knowing the code and implemetation the way the developer of the product knew it. Your info is both dated and part of the marketing blurbs. Question: 2 marketing execs are talking with each other. Which one of them is lying? ANS: The one whose lips are moving.