Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Oct 2023 18:56:27 +0200
From: Martin Hecht <>
Subject: Re: with firefox on X11, any page can pastejack you

On 20/10/2023 17:21, Turistu wrote:
> On Fri, Oct 20, 2023 at 03:27:41PM +0200, Solar Designer wrote:
>> Or isolate Firefox to its own X server (or at least a separate one from
>> where you run terminal emulators managing important stuff), like it
>> happens when you run it in its own VM (or perhaps many instances of it
>> in many VMs) on Qubes OS.  Indeed this also removes the convenience of
> If you do that, notice that you will also have to run a window manager
> inside that separate X server, because firefox (which never implemented
> the X11 and icccm protocols correctly) needs a wm in order to function
> properly (more precisely a point-to-focus wm or one that simulates
> point-to-focus just to keep firefox and some other horrors like old atk
> java apps happy).

there was a recommendation to run firefox as a different user, e.g. 
firefox, some time ago:

this firefox user doesn't have access to the primary and secondary 
selection buffer. Some details have changed, but basically I'm using 
this approach since then. It's a bit uncomfortable in daily use (like 
most security measures), because copy&paste out of firefox doesn't work 
anymore. But there is also this addon as a workaround, which lets me 
save text selected within firefox to a well-defined file, from where I 
can pick it up after careful inspection under my regular user:

But still, we are left with the problem that within firefox scripts can 
do all kind of bad things. NoScript addon can help here to some extend:

But unfortunately more and more web pages refuse to display anything if 
no scripts are allowed at all by default, which forces me to either 
admit tons of javascript on those pages or just leave them without 
reading... Ok, using separate browser profiles for different kinds of 
web pages is another approach (separate profiles for online banking, 
admin guis, regular browsing, another one for pages you trust less...)

best regards, Martin

Download attachment "smime.p7s" of type "application/pkcs7-signature" (5924 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.