On Thu, Mar 05, 2020 at 07:32:36AM -0700, Luke A. Call wrote: > On 03-05 04:18, Tomasz Rola wrote: > > On Wed, Mar 04, 2020 at 02:06:40AM +0100, whistlez...@riseup.net wrote: > > > Hi, > > > in the following message: > > > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > > > Theo discourages to use unveil instead of chroot. > > > I asked if he suggests the same for the browser but he asked that chroot > > > is onlye for *root*. > > > Then what should I do to hardening the most exposed piece of code that > > > we use everyday ? > > > Now I'm using unveil+chrome... > > > Thank you. > > [....] > > As of me, I use the trick with multiple users for different roles > > (similar to other person who posted in this thread). I also employ > > noscript in some of the roles. > > I just leave javascript off for usual browsing, with a tab sitting open > in chromium or iridium to turn it on for the occasional temporary need, > or added to the browser's exception list to allow permanently for > certain sites. This partly because it seems easy, and partly since I > probably won't know if a browser extension is sold to a malicious entity, or > otherwise compromised (so, seems a smaller attack surface, but still usually > convenient.)
As I know many sites without js doesn't work. Anyway I don't understand how switching off js defend you from 0day browser bug. Maybe you mean that because many 0day concern javascript ?