Font handling is also a large attack surface since font rendering is extremely complex and browsers expose it to untrusted input by supporting fonts provided by the site. CSS is super complex by itself and keeps getting more features that need to interact with all the others.
Conversation
And of course they support all kinds of different image, video and audio codecs. They also keep expanding the feature set with things like access to MIDI devices, Bluetooth and USB but at least those prompt the user to allow it. Have you seen issues like github.com/mozilla/standa?
2
1
There's literally a browser API which supports updating firmware on devices which mostly have no signature verification for the updates. The manufacturers consider that an important feature, even including the fact that there's no signature verification.
1
1
2
They don't want to deal with supporting updates and modding securely, so they expose firmware updates via an API exposed through web browsers and leave out verifying the updates. A user allowing access ends up letting a site implant it with persistent malware without any exploit.
1
Replying to
Firmware update should never be possible except via special physical interface solely for firmware update.
1
Replying to
These devices have a fair bit of attack surface and probably do need security updates though, and people wouldn't do it that way. It really needs signature verification and should check the origin of the update too along with requiring explicit consent to do it though.
1
It generally does none of that. There's just an extensible API exposed via the MIDI API and they stick firmware updates into that. Any site given access to the device at all can do a firmware update, and often there's no signature verification. These companies don't really care.
2
Replying to
Browser could parse the MIDI, only accepting standard commands, and rewrite it before sending to the device..?
1
Replying to
I think that's what Mozilla was proposing they are going to do, but there's a lot of push back from the users and device vendors because there's so much non-standard functionality. They seem to care a lot about allowing random sites to overwrite the firmware too... it's scary.
1
1
I haven't really looked into this feature for a couple years so I'm unsure what happened with it. As far as I can tell, not much has changed since then. It's still implemented by Chrome and Firefox is working on it:
1
I find Service Workers and background / periodic sync to be fairly disturbing too which we've discussed before:
developers.google.com/web/fundamenta
github.com/WICG/Backgroun
It heavily conflicts with almost every user's mental model about how a web browser works including my own.
Replying to
Absolutely. I nuke it by preventing writes to the path at the filesystem level. Because somehow the browsers can't be bothered to add a switch or site permission for it...