Re: [dev] [surf] [patch] 13 patches from my Universal Same-Origin Policy branch

From: Nick <suckless-dev_AT_njw.me.uk>
Date: Thu, 26 Mar 2015 00:03:13 +0000

Hi Ben, interesting stuff indeed, thanks for sharing.

Some of these features should be merged into the main surf repo, I
think:

- [PATCH 04/13] Disable useless webkit features that could harm
  privacy.

Sounds good to me.

- [PATCH 05/13] Do not trigger a download for subframes that webkit
  cannot handle.

Presuming that would stop websites which use flash from causing surf
to download crap.swf, and similar annoyances, then yes, definitely.

- [PATCH 07/13] add random entropy to user-agent and accept-language
  headers.

I definitely like the idea, but wonder whether the solution in the
patch is a bit overkill. After all, if we're basically just trying
to defeat hashing correlations, then one random byte at the end of
each variable should be enough. Also, unless I'm misreading it, am I
correct in thinking the user-agent string is fully random? I'm
currently using one from an oldish firefox, to reduce
fingerprintability a bit, and I get annoying warnings on github and
a few other places as a result - isn't it better to use a common-ish
UA string with some random crap on the end, so most stupid websites
won't do something annoying?

- [PATCH 09/13] Need this to apparently prevent a race condition
  when calling SETPROP() right after setatom().
- [PATCH 10/13] about:blank seems to not be needed for webkit, and
  makes a distinction without a difference, causing mismatches in
  URI comparison code.

As I read the commit messages for these they're fixing straight-up
bugs in surf.

I haven't tested these patches yet, but they look sensible.

Nick
Received on Thu Mar 26 2015 - 01:03:13 CET