mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-23 21:02:09 +00:00
Amend pale moon note
This commit is contained in:
parent
425071eade
commit
71bb714ba2
1 changed files with 1 additions and 1 deletions
|
@ -11,7 +11,7 @@ Pale Moon's inception pre-dates Firefox 57 by many years; before its notoriety f
|
||||||
|
|
||||||
I hate that Pale Moon is so behind on security because it also has nice stuff that Mozilla axed. Some things were axed for good reason, like extensions with the ability to alter browser functionality. Others were axed without good reason, like built-in RSS/Atom support.
|
I hate that Pale Moon is so behind on security because it also has nice stuff that Mozilla axed. Some things were axed for good reason, like extensions with the ability to alter browser functionality. Others were axed without good reason, like built-in RSS/Atom support.
|
||||||
|
|
||||||
WebExtensions that fill in missing functionality often require content injection which is problematic for a variety of reasons (try visiting a page that has a <samp>sandbox</samp> CSP directive without `allow-same-origin` or `allow-scripts` and see how well it works, or seeing their scripts activate too late when your underpowered machine is under load). It's better than giving them access to browser functionality but nothing beats having features in the actual browser.
|
WebExtensions that fill in missing functionality often require content injection which is problematic for a variety of reasons. To name a few: try visiting a page that has a <samp>sandbox</samp> CSP directive without <samp>allow-same-origin</samp> or <samp>allow-scripts</samp> and see how well it works, saving a page and noticing it has extra scripts or iframes, or seeing addon scripts activate too late when your underpowered machine is under load). It's better than giving them access to browser functionality but nothing beats having features in the actual browser.
|
||||||
|
|
||||||
I still wouldn't recommend it due to extremely weak sandboxing and a naive approach to security. The devs respond to sandboxing queries by saying it's secure because "it separates the content and application" which tells you how little they care or understand; untrusted content needs isolation not just from the browser but from other untrusted content. Given the scope of a browser, even Firefox isn't where it should be (even given their commendable progress on Fission, RLBox, and their utility process overhaul), let alone caught up to the mitigations in Chromium's Blink or WebKit's JavaScriptCore but I digress.
|
I still wouldn't recommend it due to extremely weak sandboxing and a naive approach to security. The devs respond to sandboxing queries by saying it's secure because "it separates the content and application" which tells you how little they care or understand; untrusted content needs isolation not just from the browser but from other untrusted content. Given the scope of a browser, even Firefox isn't where it should be (even given their commendable progress on Fission, RLBox, and their utility process overhaul), let alone caught up to the mitigations in Chromium's Blink or WebKit's JavaScriptCore but I digress.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue