Attack surface reduction works:
http://blog.gerv.net/2013/10/attack-surface-reduction-works/

Removing E4X broke the NSA's "EGOTISTICALGOAT" attack - a type confusion
vulnerability in E4X.

In the spirit of learning from this, what's next on the chopping block?

A quick survey of the security-group led to the following suggestions,
and I'm sure there are more:

* JS engine: Proxy.create, Object.prototype.watch, __noSuchMethod__,
legacy (pre-ES6) generators, __iterator__, non-ES6 let-blocks, pre-ES6
expression closures

* Editor (share a JS implementation with Servo instead)

* Most OOM recovery in the JS engine

* FTP (perhaps replace with JS implementation from FireFTP)

* Windows integrated auth

* XSLT (Chrome have already announced they will remove it:
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/zIg2KC7PyH0
;
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/k8aIeI6BCG0
)

Gerv
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to