
The full article is being commented on Slashdot right now.
One noted* add-on maker applauded the optional request for money. "Mozilla is giving developers a way to better communicate with their users about the costs of maintaining the code, about their future goals and about the ways to contribute (financially, too) for people who find the development roadmap interesting," said Giorgio Maone, the creator of the popular NoScript extension. Maone has long solicited donations for NoScript on his own Web site.
The best thing is that they're trying to...
Developers can use PayPal's micropayment fee offering to reduce the transaction fees for contributions under $12. "After looking at our requirements for trust, security, international currencies, and ease of integration, PayPal was the [best] partner that met our needs for this pilot," said Nguyen.
Grumpy Old Lady wrote:...
One more big boost for Ppal's cornering the web payment market there Mozilla. Will you scream when Ppl starts squeezing the pips once its monopoly is secured with those loss-leading discount setups?...
RSnake wrote:Jeremiah brought my attention to the new Firefox 3.5+ CORS (Cross-Origin Resource Sharing) which is a way to do a cross domain XMLHTTPReqest. ... <snip> ... and as a result you can enumerate a substantial amount of internal address space behind the victim’s firewall and relatively quickly. I created a demo here (works only in Firefox 3.5+ and you must enable JavaScript globally for this to work). It won’t work if you just whitelist ha.ckers.org you have to globally allow JavaScript if you use Noscript for the demo to work - and you must disable ABE in Noscript as well.
I should note that there is a IE8.0 version of Firefox’s XMLHTTPRequest called XDomainRequest, but I didn’t have much time this weekend to try to get it working in both browsers so I have no idea if it has the same issue or not.
Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.
Tom T. wrote:The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
Tom T. wrote:It doesn't sound like this "feature" was such a good thing to introduce, in the long run.
Giorgio Maone wrote:In facts, you can still disable it by setting the noscript.forbidXHR about:config preference to 2.
http://noscript.net/changelog#1.4.9.4
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR
Tom T. wrote:Curious: On my F2.20, the default is "1". So on F2, 1= same site only?
Tom T. wrote:And from RSnake's article, I got the impression that only F3.5+ had this cross-domain capability anyway.
Tom T. wrote:Conclusion: (RSnake)Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.
The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
It doesn't sound like this "feature" was such a good thing to introduce, in the long run.
tlu wrote:I agree that this remark by RSnake is disturbing, indeed. And he's a guy who usually knows what he's talking about. Nevertheless, is this only a remark by a "rejected lover"or has FF really fallen behind other browsers security-wise? And are extensions like Noscript, Refcontrol, Requestpolicy etc. enough to fix these holes, or is a complete overhaul of FF necessary?
I'm a loyal Mozilla supporter, but if someone like RSnake is making such a comment I'm beginning to wonder ...
Tom T. wrote:The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
He means "the browser", as in "the browser concept" or "every web browser, no matter the vendor" (without NoScript, that is)
Tom T. wrote:RSnake is a loyal user of NoScript, and has said so many times -- hardly a rejected lover.
Giorgio and RSnake communicate with each other, to mutual benefit.. Notice that he almost assumes that the user is using NoScript if you read the actual article. And that even if you allowed scripting globally, his attack would still be defeated by ABE.
tlu wrote:this suggests that he regards the security concept of FF as fundamentally broken.
Giorgio Maone wrote:tlu wrote:this suggests that he regards the security concept of FF as fundamentally broken.
Nope, he's not singling out Firefox at all,
What's he's trying to say is that the web (and the browsers, all the browsers none excluded by reflex) is fundamentally broken from a security standpoint.
Firefox, at least, provides some work-around for this breakage (e.g. NoScript) and is trying to build a slightly less broken web through experimental proposals like CSP.