Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Chrome has the XSS Auditor which blocks JS which is contained in the request. This of course completely useless:
- when the js is saved in a db for example to save a post
- when the js isn't actually inserted in the page but rather just a legitimate snippet took from the page for example:
actual code:
showSomeWarningAboutUser()
request:
GET /websits?someirrelevantparam=showSomeWarningAboutUser()
this will result in the warning not being shown, which potentially can be dangerous.
- lastly the XSS-Auditor is used as an excuse not to properly implement tag stripping, etc.
liveoverflow did a great video on this.
Related Rants
Did you say security?
Nice try
Yesterday while learning some basic php stuff, prof was telling us about text fields and how php auto converts HTML and JavaScript.
He said to test it out before class, he wrote a lil JS script and submitted it to a text field using IE and then again using Chrome.
IE let the script run no problems (big surprise) but chrome blocked the script from running.
He doesn’t use Firefox, but I just recently switched from chrome to FF so I tested it out in class on FF.
I was surprised to see FF ran the script no problem. Surprised because I made the switch because of security reasons, my partner helped me secure all my shit and we both switched to FF cause every resource suggested it.
This is just one small case that I feel isn’t a huge deal, my prof said any decent dev will strip tags or whatever, but made me think: are there any other security concerns with FF? Am I right to consider it a more secure and therefore “better” browser?
rant
firefox
php
chrome
security