Just as a PSA, I found that "nginx -v" was not detailed about the version sufficient to check, but "apt list nginx" gave the full version number that was checkable, and indeed the 24.04 version of this morning…
The test is the hardcore engineering tell here. The test is dialed in on the key area, and when the graph wasn't coming out the right shape, they kept at it. Plus one from me!
What jumps out to me is that this is a success story of using a non-trivial test to illuminate an important but hard to observe bit of algorithm. I appreciate the engineering grit to put in a complex test like this, and…
Exactly. It's not a good solution where you have to read a bunch of steps to do to make SVG safe, where you're worried you forgot one. Instead there should be a straightforward <svg exec="false"> or whatever that simply…
I'm curious is the JIT developers could mention any Python features that prevent promising JIT features. An earlier Ken Jin blog [1], mentions how __del__ complicates reference counting optimization. There is a story…
Nice HN explanation! One hopes we will not be living with 4kb pages forever, and perhaps L1 performance will be one more reason.
If I do this on my mac, I wonder if am technically violating the HEIC patent license. I suppose it depends on the details in the patent license, plus perhaps rights Apple has acquired for its users. I definitely don't…
I had the impression from elsewhere in this thread that loading the svg in some other way, then you are not protected. This makes a no-brainer "don't run these ever" option in the browser seem appealing.
I gather from the HN discussion that it's not simple to disable scripting in an SVG, in retrospect a tragically missing feature. I guess the next step is to propose a simple "noscripting" attribute, which if present in…
I would surprised to see performance as good as V8, although that would be great. As I recall the v8 team performed exceptionally well in a corporate environment that badly wanted js performance to improve, and maybe…
Don't underestimate the nicotine withdrawal for making you feel crabby - I've heard that anecdote many times. The nice thing is ... that one gets better with time.
I'm super curious how this hack worked, but I feel like the story is just about the last step. What did the attacker have such that this last step did it? My guess is that the attacker had the google password, and also…
Just as a PSA, I found that "nginx -v" was not detailed about the version sufficient to check, but "apt list nginx" gave the full version number that was checkable, and indeed the 24.04 version of this morning…
The test is the hardcore engineering tell here. The test is dialed in on the key area, and when the graph wasn't coming out the right shape, they kept at it. Plus one from me!
What jumps out to me is that this is a success story of using a non-trivial test to illuminate an important but hard to observe bit of algorithm. I appreciate the engineering grit to put in a complex test like this, and…
Exactly. It's not a good solution where you have to read a bunch of steps to do to make SVG safe, where you're worried you forgot one. Instead there should be a straightforward <svg exec="false"> or whatever that simply…
I'm curious is the JIT developers could mention any Python features that prevent promising JIT features. An earlier Ken Jin blog [1], mentions how __del__ complicates reference counting optimization. There is a story…
Nice HN explanation! One hopes we will not be living with 4kb pages forever, and perhaps L1 performance will be one more reason.
If I do this on my mac, I wonder if am technically violating the HEIC patent license. I suppose it depends on the details in the patent license, plus perhaps rights Apple has acquired for its users. I definitely don't…
I had the impression from elsewhere in this thread that loading the svg in some other way, then you are not protected. This makes a no-brainer "don't run these ever" option in the browser seem appealing.
I gather from the HN discussion that it's not simple to disable scripting in an SVG, in retrospect a tragically missing feature. I guess the next step is to propose a simple "noscripting" attribute, which if present in…
I would surprised to see performance as good as V8, although that would be great. As I recall the v8 team performed exceptionally well in a corporate environment that badly wanted js performance to improve, and maybe…
Don't underestimate the nicotine withdrawal for making you feel crabby - I've heard that anecdote many times. The nice thing is ... that one gets better with time.
I'm super curious how this hack worked, but I feel like the story is just about the last step. What did the attacker have such that this last step did it? My guess is that the attacker had the google password, and also…