oss-sec mailing list archives
Re: with firefox on X11, any page can pastejack you anytime
From: Martin Hecht <martin.hecht () hlrs de>
Date: Tue, 24 Oct 2023 18:56:27 +0200
On 20/10/2023 17:21, Turistu wrote:
On Fri, Oct 20, 2023 at 03:27:41PM +0200, Solar Designer wrote:Or isolate Firefox to its own X server (or at least a separate one from where you run terminal emulators managing important stuff), like it happens when you run it in its own VM (or perhaps many instances of it in many VMs) on Qubes OS. Indeed this also removes the convenience ofIf you do that, notice that you will also have to run a window manager inside that separate X server, because firefox (which never implemented the X11 and icccm protocols correctly) needs a wm in order to function properly (more precisely a point-to-focus wm or one that simulates point-to-focus just to keep firefox and some other horrors like old atk java apps happy).
there was a recommendation to run firefox as a different user, e.g. firefox, some time ago:
https://seclists.org/fulldisclosure/2014/Jun/84this firefox user doesn't have access to the primary and secondary selection buffer. Some details have changed, but basically I'm using this approach since then. It's a bit uncomfortable in daily use (like most security measures), because copy&paste out of firefox doesn't work anymore. But there is also this addon as a workaround, which lets me save text selected within firefox to a well-defined file, from where I can pick it up after careful inspection under my regular user:
https://addons.mozilla.org/en-US/firefox/addon/save-text-to-file/But still, we are left with the problem that within firefox scripts can do all kind of bad things. NoScript addon can help here to some extend:
https://addons.mozilla.org/en-US/firefox/addon/noscript/But unfortunately more and more web pages refuse to display anything if no scripts are allowed at all by default, which forces me to either admit tons of javascript on those pages or just leave them without reading... Ok, using separate browser profiles for different kinds of web pages is another approach (separate profiles for online banking, admin guis, regular browsing, another one for pages you trust less...)
best regards, Martin
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: with firefox on X11, any page can pastejack you anytime, (continued)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
- Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Solar Designer (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Martin Hecht (Oct 24)