Re: [dev] [surf] adblocking

From: Christoph Lohmann <20h_AT_r-36.net>
Date: Wed, 21 Nov 2012 11:23:08 +0100

Greetings.

On Wed, 21 Nov 2012 11:23:08 +0100 Sam Watkins <sam_AT_nipl.net> wrote:
> On 11-20 08:08, Andrew Hills wrote:
> > Would it be possible to disable requests made by the page to any
> > address outside the page's domain?
>
> This is a worthwhile option for the browser.
>
> It can block many ads, and also block cross-site request forgery exploits.
>
> CSRF exploits take advantage of a major security hole in HTTP /
> web browser implementation, and can sometimes work without scripting -
> a static page can damage intranet / local web services using just a whole lot
> of img tags or similar, such as <img src="192.168.1.1/delete_stuff?id=1234">.
> Home routers are vulnerable to these attacks, leads to DNS poisoning, etc.
>
> A page with javascript can also make post requests to local services,
> I guess this works even in surf.

Cross‐side scripting is already a backwards compatibility to Google,
like Windows is the backward compatibility to the proprietary world. But
yes, it would be a nice toggle for surf, to turn off by default any
cross‐side loading and then turn it on when needed. Any volunteers? I
can’t stand that GTK abomination.


Sincerely,

Christoph Lohmann
Received on Wed Nov 21 2012 - 11:23:08 CET

This archive was generated by hypermail 2.3.0 : Wed Nov 21 2012 - 11:36:04 CET