I&#39;ve already seen websites exploit firefox tabs and they made use of my gmail account to send spam.<div><br></div><div>Why should we make firefox easier to exploit?<br><br><div class="gmail_quote">On Mon, Aug 16, 2010 at 5:07 AM, drago01 <span dir="ltr">&lt;<a href="mailto:drago01@gmail.com">drago01@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Mon, Aug 16, 2010 at 1:15 AM, Kevin Kofler &lt;<a href="mailto:kevin.kofler@chello.at">kevin.kofler@chello.at</a>&gt; wrote:<br>

&gt; drago01 wrote:<br>
&gt;&gt; The times where javascript is only used for some fancy effects are<br>
&gt;&gt; long over ... welcome to 2010 ;)<br>
&gt;<br>
&gt; Some web sites are indeed abusing JavaScript. Why should we promote this<br>
&gt; behavior? It is a vehicle for proprietary software, where people often<br>
&gt; aren&#39;t even aware they&#39;re using non-Free code, or just ignore the issue.<br>
&gt; See also <a href="http://www.gnu.org/philosophy/javascript-trap.html" target="_blank">http://www.gnu.org/philosophy/javascript-trap.html</a> . A web site is<br>
&gt; not and should not be an application, an application is not and should not<br>
&gt; be a web site.<br>
<br>
</div>There is a difference between a website and web *application*.<br>
Besides who is stopping me (or anyone else) from writing a free<br>
software web app that uses Javascript? People have been and are doing<br>
that all the time.<br>
By your logic we should ban gcc, java, mono, python, perl, bash ... as<br>
one can use them to create and/or run non free software.<br>
<br>
Also you may be aware that javascript has its uses *outside* of the<br>
web too (just like you can write apps in python you can do it in JS;<br>
and having a JIT that speeds them up is definitely a plus).<br>
<div class="im"><br>
&gt;&gt; The &quot;problem&quot; is fixable there is a patch that is being discussed<br>
&gt;&gt; upstream to fix the issue and allow selinux memory protection it is<br>
&gt;&gt; just not merged yet.<br>
&gt;&gt;<br>
&gt;&gt; Using a JIT is not a security risk by itself.<br>
&gt;<br>
&gt; Workarounds which make SELinux happy are still not as secure as sticking to<br>
&gt; a pure bytecode interpreter. Exploit code can still write to the memory to<br>
&gt; be executed, with ANY JIT, as this is how a JIT works. It&#39;s just that the<br>
&gt; writing has to happen through a different address space window as the<br>
&gt; execution, making the JIT harder, but not impossible, to exploit.<br>
&gt;<br>
&gt; So IMHO the right fix is to disable the JIT altogether.<br>
<br>
</div>This is *not* a fix. You can&#39;t solve problems by disabling features<br>
and pretending they do not exists.<br>
<div class="im"><br>
&gt; But the proposed patch would still be better than the crappy solution<br>
&gt; implemented now just to &quot;stick to upstream&quot;<br>
<br>
</div>Yeah because forking a web browser which would end up with a more<br>
secure experience than joining forces with upstream with the expertize<br>
there and can deliver security fixes on time (which also apply to our<br>
version).<br>
<div><div></div><div class="h5">--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
</div></div></blockquote></div><br></div>