Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You have it backwards, stuff like Websockets are built by design to be incompatible with existing implementations. This is because Javascript code is untrusted/untrustworthy, and we already had a plethora of attacks due to foreign JS doing nasty things with what little they had, here's a couple examples:

- SMTP/IRC spamming using Web requests (Cross-protocol scripting, 2002) - https://www.eyeonsecurity.org/papers/Extended%20HTML%20Form%...

- Webpages that detect your router and leak your SSID (or worse) - Samy Kamkar "How I met your girlfriend" (2010), excerpt: https://www.youtube.com/watch?v=tRJMIMBVqFI

Web extensions should allow you to do normal sockets, many years ago I had a Chrome app (I still miss them) as my IRC client.



> Web extensions should allow you to do normal sockets

Not since 2017 or whenever it was that Firefox dropped XUL extensions and replaced them with WebExtensions. The legacy XUL extensions could do much, much more and there was correspondingly much, much more malware in browser extensions.


It's not like Websockets prevent this completely. eBay port scanning: https://www.ghacks.net/2020/05/25/ebay-is-port-scanning-your...


That's a pretty clever attack. It's clear everything can (will?) be exploited at some point, so it's usually down to features vs. user protection.

Unless everyone is ok going back to running random .exe files from emails, I guess.


So treat sockets as one currently treats web cameras and microphones.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: