[CentOS] C5 : Firefox 38 bug

Fri Jun 12 19:51:06 UTC 2015
Jonathan Billings <billings at negate.org>

On Fri, Jun 12, 2015 at 03:43:11PM -0400, Jonathan Billings wrote:
> Its technically true, however, XSS attacks can get around that
> restriction, which is why you saw so much malware posted on a site
> like googleusercontent.com.  Sites that allow users to upload content
> are always being used to host malware for XSS attacks.  But you still
> need to be visiting a site with the same domain as the cookie, and
> load a compromised page.  Plus, if you use HttpOnly cookies, you
> have to go through even more complex XSS exploits to get at the
> cookie, since they aren't accessible through the DOM model.

I should add that the exploits are constantly being addressed by both
Web Browser developers as well as developers of extensions like
NoScript.  Its an arms race.

Jonathan Billings <billings at negate.org>