info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Firefox OS and Javascript
7 views
Skip to first unread message
moz...@zp1.net
Aug 9, 2014, 6:05:56 AM8/9/14
to evang...@lists.mozilla.org
Hi Fans
We all know that javascript main reason is to use the resources of the
client to steal data from the client and send it to a server, or help to
install unwanted software.
In the past at least they said javascript works in a sandbox and can not
gain root rights.
I have a question after analyzing the Firefox OS:
So Firefox OS is like using a Browser with root rights without the
possibility to turn of Java Script or clean the cache and the cookies?
thanks for answer.
We all know that javascript main reason is to use the resources of the
client to steal data from the client and send it to a server, or help to
install unwanted software.
In the past at least they said javascript works in a sandbox and can not
gain root rights.
I have a question after analyzing the Firefox OS:
So Firefox OS is like using a Browser with root rights without the
possibility to turn of Java Script or clean the cache and the cookies?
thanks for answer.
Manish Goregaokar
Aug 9, 2014, 2:57:11 PM8/9/14
to moz...@zp1.net, evangelism
>
> We all know that javascript main reason is to use the resources of the
> client to steal data from the client and send it to a server, or help to
> install unwanted software.
>
What? No. That's not the main reason behind JS.
> We all know that javascript main reason is to use the resources of the
> client to steal data from the client and send it to a server, or help to
> install unwanted software.
>
> In the past at least they said javascript works in a sandbox and can not
> gain root rights.
>
> I have a question after analyzing the Firefox OS:
> So Firefox OS is like using a Browser with root rights without the
> possibility to turn of Java Script or clean the cache and the cookies?
>
doesn't exactly have root). Except that only apps run at the OS level. Web
pages viewed in the browser are treated the same way as web pages you view
on Desktop. There may not be an option of turning off JS, but there should
be one for clearing the cache.
Janet Swisher
Aug 9, 2014, 7:02:17 PM8/9/14
to Manish Goregaokar, moz...@zp1.net, evangelism
>> I have a question after analyzing the Firefox OS:
>> So Firefox OS is like using a Browser with root rights without the
>> possibility to turn of Java Script or clean the cache and the cookies?
>>
https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_model
https://developer.mozilla.org/en-US/Firefox_OS/Security/Application_security
--
Janet Swisher <mailto:jREMOVE...@mozilla.com>
Mozilla Developer Network <https://developer.mozilla.org>
Developer Relations Community Organizer
moz...@zp1.net
Aug 10, 2014, 12:18:06 PM8/10/14
to Manish Goregaokar, jswi...@mozilla.com, evangelism
Thanks Janet, thanks Manish
> The OS itself? Sure, no possibility of turning off cookies or JS (but
> Gaia doesn't exactly have root). Except that only apps run at the OS
> level. Web pages viewed in the browser are treated the same way as web
> pages you view on Desktop. There may not be an option of turning off
> JS, but there should be one for clearing the cache.
if there is no way of turning off javascript how can a user protect
against malicious code?
http://en.wikipedia.org/wiki/Cross-site_scripting
http://deadliestwebattacks.com/2013/01/22/know-your-javascript-injections/
http://www.sophos.com/en-us/security-news-trends/security-trends/malicious-javascript.aspx
> The OS itself? Sure, no possibility of turning off cookies or JS (but
> Gaia doesn't exactly have root). Except that only apps run at the OS
> level. Web pages viewed in the browser are treated the same way as web
> pages you view on Desktop. There may not be an option of turning off
> JS, but there should be one for clearing the cache.
against malicious code?
http://en.wikipedia.org/wiki/Cross-site_scripting
http://deadliestwebattacks.com/2013/01/22/know-your-javascript-injections/
http://www.sophos.com/en-us/security-news-trends/security-trends/malicious-javascript.aspx
Manish Goregaokar
Aug 10, 2014, 1:55:22 PM8/10/14
to moz...@zp1.net, evangelism, Janet Swisher
Most mobile browsers don't have the ability to turn off javascript. Same
goes for the browser in FxOS. A NoScript like environment is possible, but
the ability to add exceptions is hard to implement for a mobile device.
The OS itself -- again, there's no need to turn off javascript there.
-Manish Goregaokar
goes for the browser in FxOS. A NoScript like environment is possible, but
the ability to add exceptions is hard to implement for a mobile device.
The OS itself -- again, there's no need to turn off javascript there.
-Manish Goregaokar
Christian Heilmann
Aug 10, 2014, 1:55:46 PM8/10/14
to moz...@zp1.net, Janet Swisher, evang...@lists.mozilla.org, Manish Goregaokar
All of these attacks rely on an xss entry point meaning that you need to
get data from a URL and print it out unsanitised somewhere in the document.
Firefox os applications don't allow for the most abused way to create this
which is cross origin data access. Each app needs to comply with a content
security policy which disallows for example the eval() command necessary to
execute malicious code from a third party source.
In any case turning off JavaScript doesn't protect you fully on the web
either. There are many xss attacks possible with css or malformed images
and videos.
Either of these attacks, however rely on a browser that isn't sandboxed and
can read and write content across domains and tabs - something a content
security policy prevents. Many of the listed attacks by sophos and others
also rely on plugins like flash, silver light or adobe reader, neither of
which are available in Firefox os.
Saying Firefox os is inherently insecure because is uses Firefox is like
saying cars are inherently lethal to humans because they can be driven too
fast. Good security is a mixture of filtering, sanitising and keeping a
system up to date. Demonizing one technology is good marketing if you are a
security company, but any can be exploited. If you really want a dangerous
technology think of Java exploits. Those give you full os access and
android is based on it.
> Evangelism mailing list
> Evang...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/evangelism
>
get data from a URL and print it out unsanitised somewhere in the document.
Firefox os applications don't allow for the most abused way to create this
which is cross origin data access. Each app needs to comply with a content
security policy which disallows for example the eval() command necessary to
execute malicious code from a third party source.
In any case turning off JavaScript doesn't protect you fully on the web
either. There are many xss attacks possible with css or malformed images
and videos.
Either of these attacks, however rely on a browser that isn't sandboxed and
can read and write content across domains and tabs - something a content
security policy prevents. Many of the listed attacks by sophos and others
also rely on plugins like flash, silver light or adobe reader, neither of
which are available in Firefox os.
Saying Firefox os is inherently insecure because is uses Firefox is like
saying cars are inherently lethal to humans because they can be driven too
fast. Good security is a mixture of filtering, sanitising and keeping a
system up to date. Demonizing one technology is good marketing if you are a
security company, but any can be exploited. If you really want a dangerous
technology think of Java exploits. Those give you full os access and
android is based on it.
On 10 Aug 2014 18:19, <moz...@zp1.net> wrote:
> Thanks Janet, thanks Manish
>
> The OS itself? Sure, no possibility of turning off cookies or JS (but
>> Gaia doesn't exactly have root). Except that only apps run at the OS level.
>> Web pages viewed in the browser are treated the same way as web pages you
>> view on Desktop. There may not be an option of turning off JS, but there
>> should be one for clearing the cache.
>>
>
> if there is no way of turning off javascript how can a user protect
> against malicious code?
>
> http://en.wikipedia.org/wiki/Cross-site_scripting
> http://deadliestwebattacks.com/2013/01/22/know-your-javascript-injections/
> http://www.sophos.com/en-us/security-news-trends/security-
> trends/malicious-javascript.aspx
> _______________________________________________
> Thanks Janet, thanks Manish
>
> The OS itself? Sure, no possibility of turning off cookies or JS (but
>> Gaia doesn't exactly have root). Except that only apps run at the OS level.
>> Web pages viewed in the browser are treated the same way as web pages you
>> view on Desktop. There may not be an option of turning off JS, but there
>> should be one for clearing the cache.
>>
>
> if there is no way of turning off javascript how can a user protect
> against malicious code?
>
> http://en.wikipedia.org/wiki/Cross-site_scripting
> http://deadliestwebattacks.com/2013/01/22/know-your-javascript-injections/
> http://www.sophos.com/en-us/security-news-trends/security-
> trends/malicious-javascript.aspx
> Evangelism mailing list
> Evang...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/evangelism
>
Manish Goregaokar
Aug 10, 2014, 1:59:16 PM8/10/14
to Christian Heilmann, Janet Swisher, moz...@zp1.net, evangelism
Actually, we might be confused here as to what the OP is talking about.
Are you concerned about JavaScript as running for web pages within the
actual browser app in Firefox OS, or JavaScript running in the OS itself
and other apps? The latter isn't a security hole -- all apps for all mobile
OSes are able to track you if they want and mess up your system with the
right permissions (so be careful when installing apps -- and FxOS has an
app review process anyway).
The mobile browser used in FxOS? Most mobile browsers don't have a "turn
off JS" button, and this anyway is the least effective way to prevent
attacks as detailed by Christian above.
-Manish Goregaokar
On Sun, Aug 10, 2014 at 11:25 PM, Christian Heilmann <chei...@mozilla.com>
wrote:
Are you concerned about JavaScript as running for web pages within the
actual browser app in Firefox OS, or JavaScript running in the OS itself
and other apps? The latter isn't a security hole -- all apps for all mobile
OSes are able to track you if they want and mess up your system with the
right permissions (so be careful when installing apps -- and FxOS has an
app review process anyway).
The mobile browser used in FxOS? Most mobile browsers don't have a "turn
off JS" button, and this anyway is the least effective way to prevent
attacks as detailed by Christian above.
-Manish Goregaokar
On Sun, Aug 10, 2014 at 11:25 PM, Christian Heilmann <chei...@mozilla.com>
wrote:
moz...@zp1.net
Aug 11, 2014, 4:49:51 AM8/11/14
to evang...@lists.mozilla.org
Am 10-08-2014 19:55, schrieb Christian Heilmann:
> [..]
Gecko such technologies like NoScript or AdBlock.
Cross-Scripting or data security is only a small aspect. We could talk
about jokes like Clickjacking and other in your eyes minor aspects, that
will be a blocker when it comes to sell devices.
Make a device that at least try to be secure.
Make devices for users not useds.
> Either of these attacks, however rely on a browser that isn't sandboxed and
> can read and write content across domains and tabs - something a content
> security policy prevents. Many of the listed attacks by sophos and others
> also rely on plugins like flash, silver light or adobe reader, neither of
> which are available in Firefox os.
I do not talk about plugins.
I talk about that cancer of the web called javascript, that you include
in Gaia and Gecko and that can not be controlled by the useds..
> Saying Firefox os is inherently insecure because is uses Firefox is like
> saying cars are inherently lethal to humans because they can be driven too
> fast.
Prolly you want to say :
Saying Firefox os is inherently insecure because is uses *Javascript *is
FirefoxOS using a by the useds uncontrollable Javascript interpreter is
respectless towards the useds.
> [..]
>
> In any case turning off JavaScript doesn't protect you fully on the web
> either. There are many xss attacks possible with css or malformed images
> and videos.
I do not talk about turning off Javascript but include in the Gaia &
> In any case turning off JavaScript doesn't protect you fully on the web
> either. There are many xss attacks possible with css or malformed images
> and videos.
Gecko such technologies like NoScript or AdBlock.
Cross-Scripting or data security is only a small aspect. We could talk
about jokes like Clickjacking and other in your eyes minor aspects, that
will be a blocker when it comes to sell devices.
Make a device that at least try to be secure.
Make devices for users not useds.
> Either of these attacks, however rely on a browser that isn't sandboxed and
> can read and write content across domains and tabs - something a content
> security policy prevents. Many of the listed attacks by sophos and others
> also rely on plugins like flash, silver light or adobe reader, neither of
> which are available in Firefox os.
I talk about that cancer of the web called javascript, that you include
in Gaia and Gecko and that can not be controlled by the useds..
> Saying Firefox os is inherently insecure because is uses Firefox is like
> saying cars are inherently lethal to humans because they can be driven too
> fast.
Saying Firefox os is inherently insecure because is uses *Javascript *is
like
saying cars are inherently lethal to humans because they can be driven too
fast.
The comparation is bad. The OS is not insecure. I say:
saying cars are inherently lethal to humans because they can be driven too
fast.
FirefoxOS using a by the useds uncontrollable Javascript interpreter is
respectless towards the useds.
0 new messages