> Plenty of internal-only systems are not locked down securely and only thing preventing mass exploitation is browsers CORS settings.
CORS has no relation to this issue. Cross-origin means there are at least two origins, but in this case there is only one (where you're trying to navigate).
> But if request is originating from inside the network (as it would from a terminal emulator)
Why would the terminal make requests? Obviously it will dispatch the link to another program specialized in making requests to a protocol, like... a browser?
> Granted, on its own, this should be safe. But attacks are usually composed from multiple bugs and/or weaknesses in design. Hence why security folk keep talking about “defence in depth”
Every feature can be part of an exploit chain, but the "clicking a URL will always lead to the text it is under" ship has sailed 30+ years ago. If your system cannot safely handle this operation then you're in deep trouble, and I don't see how crippling every program in existence is the right solution to that.
> I actually voiced some concerns with this original hyperlink proposal several years back. In fact lots of developers and security researchers did.
Based on what you've written: you and other self-claimed "security researchers" started spamming this spec with concern trolling about hypothetical (non-existent) "security issues", then the author finally got tired and locked down comments, which were obviously intended for people interested in the feature, not those trying to sabotage it.
> Just one persons mission to dictate how everyone else’s terminal, and security model, should operate.
Nowhere does the proposal say that your terminal has to implement this. Indeed, if you have a working ANSI parser the escape sequence is ignored automatically (as the spec also explains).
Have you considered that the person trying to dictate how others' terminals should operate might be you?
> CORS has no relation to this issue. Cross-origin means there are at least two origins, but in this case there is only one (where you're trying to navigate).
Yes, that’s exactly my point. With websites you need two clicks to be compromised, but with a shell session you only need one.
> Why would the terminal make requests? Obviously it will dispatch the link to another program specialized in making requests to a protocol, like... a browser?
Social engineering is rife in browsers and this proposal offer almost nothing to prevent that from happening in the terminal
> Every feature can be part of an exploit chain, but the "clicking a URL will always lead to the text it is under" ship has sailed 30+ years ago. If your system cannot safely handle this operation then you're in deep trouble, and I don't see how crippling every program in existence is the right solution to that.
Again, that’s exactly my point. Terminal emulators are not designed around preventing these kinds of problems and this proposal does nothing to address that concern.
> Based on what you've written: you and other self-claimed "security researchers" started spamming this spec with concern trolling about hypothetical (non-existent) "security issues", then the author finally got tired and locked down comments, which were obviously intended for people interested in the feature, not those trying to sabotage it.
Wow, just wow. There’s taking a comment in bad faith and there’s what you’ve just done. Thanks for calling people trolls just for trying to discuss genuine security concerns.
> Nowhere does the proposal say that your terminal has to implement this. Indeed, if you have a working ANSI parser the escape sequence is ignored automatically (as the spec also explains).
Except the author of this proposed started spamming other projects asking them to implement it. How do you think this random gist became so infamous? It wasn’t stumbled upon by chance.
> Have you considered that the person trying to dictate how others' terminals should operate might be you?
This is another bad faith argument because I’m not the one pushing any proposals nor agenda here. I’m just offering some expertise.
As I said before, I have actually implemented hyperlinks in an open source terminal emulator which I contribute to. But we did it in a completely different way that ensures the terminal user has control over the links rather than an attacker.
And if other terminal maintainers want to follow this proposal verbatim then that’s their choice. I’m not stopping them. But it also doesn’t make my concerns any less valid.
Uh yes of course, I thought of that and thought "isn't that neat" but of course it goes against exactly what the author wants. I don't find this fear very natural I suppose! A different trusted third party could be nominated, I guess (KDE project nominate KDE e.V. for instance).
Validation errors aren't really "exceptions" to be thrown, they are indicators for authors that something is probably wrong but they make no visible difference in the output. I'm not sure if any browser even tracks them (and if one did, the best it could do is complain in the dev tools).
Also, this is not limited to HREF, it's defined in URL[0] so you can also put newlines in new URL("...") etc.
The greatest mistake IMO is the way float state leaks out of blocks, as this
is both extremely unintuitive and undesirable for performance reasons.[1]
Floats should've been restricted to inline formatting contexts, with all
in-flow blocks behaving as if they had `clear: both' set.
I also don't understand why they never specced the (much simpler)
`text-align: -moz-left/-moz-right/-moz-center' which already had precedent
in HTML with `<div align=left/right/center>'. It's the saddest part of the
"center a div" saga, all the W3C had to do to fix it is to assign a standard
keyword to a feature that everybody already implemented, but to this day
it still hasn't happened.[2]
[2]: After many long decades, they did finally specify block-level
`justify-items'. Two problems: a) it's backwards-incompatible with
text-align, b) it still doesn't work in Gecko.
CORS has no relation to this issue. Cross-origin means there are at least two origins, but in this case there is only one (where you're trying to navigate).
> But if request is originating from inside the network (as it would from a terminal emulator)
Why would the terminal make requests? Obviously it will dispatch the link to another program specialized in making requests to a protocol, like... a browser?
> Granted, on its own, this should be safe. But attacks are usually composed from multiple bugs and/or weaknesses in design. Hence why security folk keep talking about “defence in depth”
Every feature can be part of an exploit chain, but the "clicking a URL will always lead to the text it is under" ship has sailed 30+ years ago. If your system cannot safely handle this operation then you're in deep trouble, and I don't see how crippling every program in existence is the right solution to that.
> I actually voiced some concerns with this original hyperlink proposal several years back. In fact lots of developers and security researchers did.
Based on what you've written: you and other self-claimed "security researchers" started spamming this spec with concern trolling about hypothetical (non-existent) "security issues", then the author finally got tired and locked down comments, which were obviously intended for people interested in the feature, not those trying to sabotage it.
> Just one persons mission to dictate how everyone else’s terminal, and security model, should operate.
Nowhere does the proposal say that your terminal has to implement this. Indeed, if you have a working ANSI parser the escape sequence is ignored automatically (as the spec also explains).
Have you considered that the person trying to dictate how others' terminals should operate might be you?
reply