Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/114094652997485131">Rich Felker (dalias@hachyderm.io)'s status on Monday, 03-Mar-2025 05:10:45 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://infosec.exchange/@alwayscurious/114094626712299393" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/167753" title="alwayscurious@infosec.exchange">Demi Marie Obenour</a></li><li><a href="https://gnusocial.jp/user/315648" title="theearthisapringle@mastodon.social">theearthisapringle</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@alwayscurious">@alwayscurious</a> <a href="https://mstdn.ca/@swordgeek">@swordgeek</a> <a href="https://mastodon.social/@theearthisapringle">@theearthisapringle</a> I don't really see it as a "sadly". The norm is that applications working with complex data from different privilege domains should run in different execution privilege domains.</p><p>Browsers just kinda evolved from simple low attack surface document readers to application platforms, and at the same time political norms against malicious behavior disappeared.</p><p>But in what they are now, it absolutely makes sense to put them in their own execution privilege domains. Not the fake way FF &amp; Chrome do where there's still shared context with all the secrets in it. But entirely isolated.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4661695#notice-9126178">In conversation</a><time datetime="2025-03-03T05:10:45+09:00" title="Monday, 03-Mar-2025 05:10:45 JST">about a month ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/114094652997485131" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/114094652997485131">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Monday, 03-Mar-2025 05:10:45 JSTRich Felker
in reply to
@alwayscurious @swordgeek @theearthisapringle I don't really see it as a "sadly". The norm is that applications working with complex data from different privilege domains should run in different execution privilege domains.
Browsers just kinda evolved from simple low attack surface document readers to application platforms, and at the same time political norms against malicious behavior disappeared.
But in what they are now, it absolutely makes sense to put them in their own execution privilege domains. Not the fake way FF & Chrome do where there's still shared context with all the secrets in it. But entirely isolated.
In conversationabout a month ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice