We managed to make a list of domains that are suffixes, why can’t we make a list of domains that are prefixes? Like “hey dipshit, just because a page is in a directory doesn’t mean it’s allowed to access outside of its directory”.
so now I know more about javascript’s flaws - where’s the fault of per-user web directories at exactly?
Would this even be a problem on smaller/restricted (as in invite-only) servers where it’ll be a lot easier for the machine admins to watch for vulnerabilities and stuff in user web dirs?
in the article, they claimed that even if all the users are trusted, they cannot be trusted/expected to check for new vulnerabilities in the things they put in their userdir, which would still have javascript making the whole thing insecure.
We managed to make a list of domains that are suffixes, why can’t we make a list of domains that are prefixes? Like “hey dipshit, just because a page is in a directory doesn’t mean it’s allowed to access outside of its directory”.
the whole article is about how javascript has a bunch of design flaws and security issues, not about userdirs are dangerous
so now I know more about javascript’s flaws - where’s the fault of per-user web directories at exactly?
Would this even be a problem on smaller/restricted (as in invite-only) servers where it’ll be a lot easier for the machine admins to watch for vulnerabilities and stuff in user web dirs?
in the article, they claimed that even if all the users are trusted, they cannot be trusted/expected to check for new vulnerabilities in the things they put in their userdir, which would still have javascript making the whole thing insecure.