[CentOS] Why the Internet is so insecure

Wed Nov 30 11:41:53 UTC 2016
Phil Wyett <philwyett.hemisphere at gmail.com>

On Wed, 2016-11-30 at 02:33 -0800, Alice Wonder wrote:
> https://github.com/whatwg/html/issues/2119
> 
> Major flaw in how the specification for window.opener() works resulting 
> in a major phishing vulnerability that is cake to pull off.
> 
> The right solution isn't considered because it would break compatibility 
> with the few number sites that depend upon the broken specification even 
> though it would be simple for those sites to implement a secure method.
> 
> So instead the entire web is left with an extremely poor default and a 
> crappy solution that won't be implemented by a large number of sites.
> 
> And that's why the Internet will remain a playground for con artists for 
> years to come.
> 
> I've lost faith in the W3C. It's useless, time for a fork and a new 
> standards body. Seriously.
> 
> BTW - the fix that W3C does endorse, the rel="noopener" attribute, if 
> that's the best the W3C is willing to do, Red Hat better make sure it 
> makes it into the ESR version of FireFox they ship or it will be 
> vulnerable for some time.
> 
> The broken fix the W3C endorses isn't even set to make it into standard 
> FireFox until FireFox 52. Which is odd because it is a serious security 
> vulnerability. I'm worried it won't make it into ESR FireFox for some 
> time. ESR often lags on features.

Hi,

To answer the last paragraph. Firefox 52 ESR is scheduled for Q1 2017.

https://wiki.mozilla.org/RapidRelease/Calendar

Regards

Phil

-- 

Google+: https://goo.gl/CPjvNo
Blog: https://philwyett-hemi.blogspot.co.uk/
GitLab: https://gitlab.com/philwyett_hemi/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20161130/1a4fb7cf/attachment-0004.sig>