1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-14 01:32:11 +00:00

Amend pale moon note

This commit is contained in:
Rohan Kumar 2022-06-01 17:37:24 -07:00
parent 425071eade
commit 71bb714ba2
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479

View file

@ -11,7 +11,7 @@ Pale Moon's inception pre-dates Firefox 57 by many years; before its notoriety f
I hate that Pale Moon is so behind on security because it also has nice stuff that Mozilla axed. Some things were axed for good reason, like extensions with the ability to alter browser functionality. Others were axed without good reason, like built-in RSS/Atom support. I hate that Pale Moon is so behind on security because it also has nice stuff that Mozilla axed. Some things were axed for good reason, like extensions with the ability to alter browser functionality. Others were axed without good reason, like built-in RSS/Atom support.
WebExtensions that fill in missing functionality often require content injection which is problematic for a variety of reasons (try visiting a page that has a <samp>sandbox</samp> CSP directive without `allow-same-origin` or `allow-scripts` and see how well it works, or seeing their scripts activate too late when your underpowered machine is under load). It's better than giving them access to browser functionality but nothing beats having features in the actual browser. WebExtensions that fill in missing functionality often require content injection which is problematic for a variety of reasons. To name a few: try visiting a page that has a <samp>sandbox</samp> CSP directive without <samp>allow-same-origin</samp> or <samp>allow-scripts</samp> and see how well it works, saving a page and noticing it has extra scripts or iframes, or seeing addon scripts activate too late when your underpowered machine is under load). It's better than giving them access to browser functionality but nothing beats having features in the actual browser.
I still wouldn't recommend it due to extremely weak sandboxing and a naive approach to security. The devs respond to sandboxing queries by saying it's secure because "it separates the content and application" which tells you how little they care or understand; untrusted content needs isolation not just from the browser but from other untrusted content. Given the scope of a browser, even Firefox isn't where it should be (even given their commendable progress on Fission, RLBox, and their utility process overhaul), let alone caught up to the mitigations in Chromium's Blink or WebKit's JavaScriptCore but I digress. I still wouldn't recommend it due to extremely weak sandboxing and a naive approach to security. The devs respond to sandboxing queries by saying it's secure because "it separates the content and application" which tells you how little they care or understand; untrusted content needs isolation not just from the browser but from other untrusted content. Given the scope of a browser, even Firefox isn't where it should be (even given their commendable progress on Fission, RLBox, and their utility process overhaul), let alone caught up to the mitigations in Chromium's Blink or WebKit's JavaScriptCore but I digress.