>1. Why don't browsers execute (interpret?) languages other than JavaScript?
I believe the general idea was that they would, because the "type" attribute in the <script> tag didn't need to be "text/javascript", but javascript happened to win because it was supported by Netscape Navigator. Microsoft had VBScript, but that was an IE only product, while both browsers supported javascript, making it the only choice for cross-browser compatible scripting (albeit with lots of irritating hacks, but then jQuery came along.)
See this decent StackExchange thread here[0].
Then HTML5 deprecated the type attribute from the script tag because there really was no point anymore. Why support other languages when one language was adequate and already ubiquitous?
>2. What would be involved in having a browser execute (interpret?) other languages, such as Perl or Python?
Today? Browsers could ship with support for those languages (the way Chrome did with Dart) but of course, that would fragment the web unless all browsers supported all options. Or maybe plugins. Or "compiling to javascript." Or Webassembly[1].
I 100% believe that seamless, dynamic language support through WASM is going to be a thing eventually.
It'll be interesting to see how this works, given that the Signal Desktop client's main page (background.html) includes a CSP that restricts it from running inline or external scripts. It can only run JS that's already in the Signal Desktop package (in theory).
The fact that this isn't being described as an issue with CSPs or electron makes me wonder how it could possibly work.
You are correct, there's also a flaw on CSP not limiting all the ways you can download a resource. And at this time, it's still not fixed. We'll publish an advisory soon.
You've linked that thread a couple of times here, never really elaborating on the nature of your concerns, nor do you elaborate on the specific nature of your concerns in the ticket. Have you considered elaborating on the nature of your concerns? Is there a specific vulnerability in chromium you feel could be exploited here?
It's time to admit that we can't fix web security anymore, and that we should just start anew. XSS, SQLi, cross origin flaws, etc. There are just too many vectors for a human developer to make a correct implementation.
> It's time to admit that we can't fix web security anymore
It seems like this was fixed in a newer version of chromium.. a version that electron is not based on. This particular problem exists purely because they used a framework that depends on a ridiculously complicated backend, one that the framework has chosen not to follow closely (despite the backend addressing security issues relatively timely)
20 comments
[ 5.0 ms ] story [ 46.5 ms ] threadhttps://blog.doyensec.com/2017/08/03/electron-framework-secu...
1. Why don't browsers execute (interpret?) languages other than JavaScript?
2. What would be involved in having a browser execute (interpret?) other languages, such as Perl or Python?
I believe the general idea was that they would, because the "type" attribute in the <script> tag didn't need to be "text/javascript", but javascript happened to win because it was supported by Netscape Navigator. Microsoft had VBScript, but that was an IE only product, while both browsers supported javascript, making it the only choice for cross-browser compatible scripting (albeit with lots of irritating hacks, but then jQuery came along.)
See this decent StackExchange thread here[0].
Then HTML5 deprecated the type attribute from the script tag because there really was no point anymore. Why support other languages when one language was adequate and already ubiquitous?
>2. What would be involved in having a browser execute (interpret?) other languages, such as Perl or Python?
Today? Browsers could ship with support for those languages (the way Chrome did with Dart) but of course, that would fragment the web unless all browsers supported all options. Or maybe plugins. Or "compiling to javascript." Or Webassembly[1].
I 100% believe that seamless, dynamic language support through WASM is going to be a thing eventually.
[0]https://softwareengineering.stackexchange.com/questions/2894...
[1]https://github.com/mbasso/awesome-wasm#languages
There was an effort at one time to implement a Dart VM in Chrome [1]. That has been stopped, though [2].
[0] https://www.tcl.tk/software/plugin/
[1] http://googlecode.blogspot.com/2011/10/dart-language-for-str...
[2] https://news.dartlang.org/2015/03/dart-for-entire-web.html
The fact that this isn't being described as an issue with CSPs or electron makes me wonder how it could possibly work.
Thanks SMB / UNC Paths.
It seems like this was fixed in a newer version of chromium.. a version that electron is not based on. This particular problem exists purely because they used a framework that depends on a ridiculously complicated backend, one that the framework has chosen not to follow closely (despite the backend addressing security issues relatively timely)