New issue
Advanced search Search tips Saved queries
Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Today
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

  • Only users with SecurityTeam permission can see this issue.
  • Only users with EditIssue permission may comment.

Update hotlists

Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery

Reported by, Today (15 minutes ago)

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Steps to reproduce the problem:
Extensively described at:

these attacks leave NO evidences into the user's machine

What is the expected behavior?
The browser should not blindly execute programs that could be customized to attack the user or a third party through the user machines.

The execution of any program should be opt-in instead of opt-out.

JavaScript pages should be marked as "Not Secure" just like HTTP ones.

What went wrong?
An malicious server or CDN could gain control of several victims' resources like

- their IP
- their bandwith
- their computing power
- their RAM
- their disk (through browser cache)
- potentially others resources (gained through access to system vulnerabilities, think about Spectre/Meltdown)

This sort of attacks will be made even worse through the distribution of optimized WebAssembly (that will be way more obscure than obfuscated JavaScript)

Did this work before? No 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: 
Flash Version:

Comment 1 by A developer, Today (6 minutes ago)

Labels: Restrict-AddIssueComment-EditIssue
Status: WontFix (was: Unconfirmed)
Filing a bug here isn't the way to change web standards no matter how you feel about them.