'we've taught this robot to move small uniform blocks and we're going to make it perform arbitrary complex tasks on a variety of objects' sounds a lot like 'i'm trying to draw the mona lisa and I got her eyebrow down really good'
from experience, I wouldn't recommend other than context-aware safe templating systems for html safety in this day and age.
to an even greater extent than templating systems, sanitization systems of this type need to be built by an expert and align perfectly with how browsers parse tags, which is no small feat.
to give more concrete examples, from a few minutes of testing:
<a href="javascript://%0Aalert`xss`">1</a> <- xss on click
<img src=javascript:alert(2)> <- XSS in Opera Mobile, Opera 10, early versions of IE
<img src="/logout"> <- csrf which affects nearly everything built without security knowhow
So in order to use a function that exposes the software to serious undue security risk unless used correctly, the engineer is pushed to do research? That really doesn't seem like a bad thing...
FYI, this only works in insert mode, for the word you just typed (equivalent to ctrl-backspace, basically). And diw/diW (delete inner word, delete inner non-space-characters-word) may actually be faster depending on the context since you don't need to get to the beginning of the word.
Really cool product presented beautifully. But perhaps from being a security engineer, I wish it would say anything at all about how they're going to ensure a 16 year old kid can't pwn me from the internet and crush things -- here's praying it can't crush people.
I've just started getting into the whole smarthome thing, it worries me how hard it is to get information about security characteristics or even standards enforcement for these (which appear to be mostly non-existent).
I wish the public were more inclined to ask the question of 'but how is it secured?' when examining something to be placed in their home.
I tried to enjoy ingress, but didn't and I enjoy pokemon go.
Obviously the Pokémon brand is a draw, but ingress felt like a platform for a game that people had to construct. I got contacted by people who told me I needed to join these groups and talk in these IRC channels to have fun. I live in an area that's not so tech-savvy so there's few ingress points / Pokéstops but I can still walk over to the park and wander around some time through the few Pokéstops and gyms there are and have a lot of fun.
To me, ingress feels like an endless RPG quest where you have to retrieve items from various points. Sure, if you gather and co-ordinate efforts over the IRC channels and chat rooms I was invited to promising great depth you can create enough of a social element to make it pretty fun but I could be doing anything else.
With Pokémon Go, I feel confident to flip it out anywhere and gain a little bit of ingame development and fun that I can share with my friends, and I don't lose anything if I don't.
Yeah i totally agree, it was a while since I played ingress and forgot about some key points, but it was more about the totallity. But again good points you give here and valueble to other readers!
That's an amazingly regressive point of view. Sure, in the past such things risked prosecution but why exactly does it mean we have to figuratively knock stones together on vulnerability ethics? When cars were invented, a man had to run in front of the car with a red flag to warn others of it.
In 2016, everyone deserves privacy and security on the internet. We know and understand the dangers of vulnerabilities better, and I think we should be capable of having some respect and suitably compensating those who do the right thing.
If you can make the internet a more secure place for us to live our lives and make enough to live out of it, more power to you.
The primary problem this hopes to solve is actually CSRF. Simply generating an HTML form for a website for any website and submitting it sends the cookies of the target website, regardless of where the form is based. XHR isn't so much of an issue as it has same origin policy restrictions.
This spec allows you to set cookies that turn this outdated and age-old security policy on its head, so instead of having to generate and validate cryptographically derived client-correlated tokens on every form (CSRF tokens), we can simply set this flag and refuse to send these cookies from any other site. This has long been known to be the right thing to do, which is why other new-age web policies like CORS refuse to send cookies completely by default.
The HttpOnly flag is meant to mitigate cookie theft risk via XSS. To my knowledge this particular innovation actually does nothing to that risk.
Yep, CSRF is a completely opt-in problem to have. There is pretty much zero (valid) reasons to need Cookies anymore. Although I agree this spec is an improvement. Its main purpose should be to make legacy systems more secure. The best course of action would be to avoid cookies entirely.
