Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Or with JS disabled. HTML isn't as expressive, but it's still "arbitrary code from the internet"


There is a difference. JS is turing complete, pure HTML is far from (as far as I'm aware). So HTML might (!) well be restricted enough to not be able to carry out such an attack.

But I'd never state to definitively, as I don't know enough about what HTML without JS can do these days. For all I know there's a turing tarpit in there somewhere...


CSS3 is Turing-complete, but creating an exploit using just it would be... quite a feat.

With JS or WASM, it's much more straightforward.


HTML doesn’t have the potential to deliver Spectre like attacks because:

1. No timers - timers are generally a required gadget & often they need to be hires or building a suitable timing gadget gets harder & your bandwidth of the attack goes down

2. No loops - you have to do timing stuff in a loop to exploit bugs in the predictor.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: