Attack surface reduction works: http://blog.gerv.net/2013/10/attack-surface-reduction-works/
Removing E4X broke the NSA's "EGOTISTICALGOAT" attack - a type confusion vulnerability in E4X. In the spirit of learning from this, what's next on the chopping block? A quick survey of the security-group led to the following suggestions, and I'm sure there are more: * JS engine: Proxy.create, Object.prototype.watch, __noSuchMethod__, legacy (pre-ES6) generators, __iterator__, non-ES6 let-blocks, pre-ES6 expression closures * Editor (share a JS implementation with Servo instead) * Most OOM recovery in the JS engine * FTP (perhaps replace with JS implementation from FireFTP) * Windows integrated auth * XSLT (Chrome have already announced they will remove it: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/zIg2KC7PyH0 ; https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/k8aIeI6BCG0 ) Gerv _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform