Re: [dev-servo] State of Servo

On 7/2/2013 11:31 AM, bigmikelilient...@gmail.com wrote: So, here's a question nobodies seemed to ask yet: Has anyone decided, exactly, what the user agent string will look like? No, absolutely not. It's not even worth discussing yet. --BDS ___ dev-

Re: [dev-servo] State of Servo

So, here's a question nobodies seemed to ask yet: Has anyone decided, exactly, what the user agent string will look like? Another browser will invariably mean another browser to have to target specifically, in certain cases :) ___ dev-servo mailing lis

Re: [dev-servo] State of Servo

.org, "Patrick Walton" , rob...@ocallahan.org Sent: Tuesday, July 24, 2012 12:01:31 PM Subject: Re: [dev-servo] State of Servo Hi, thanks for all the links to those papers on CFI etc, Brendan, i will give them a read. i'm familiar with commercial control flow restricting products (and byp

Re: [dev-servo] State of Servo

ubject: Re: [dev-servo] State of Servo Message-ID:<882102013.791286.1343156491144.javamail.r...@mozilla.com> Content-Type: text/plain; charset=utf-8 Hi, thanks for all the links to those papers on CFI etc, Brendan, i will give them a read. i'm familiar with commercial control flow rest

Re: [dev-servo] State of Servo

- Original Message - > From: "Brendan Eich" > To: rob...@ocallahan.org > Cc: dev-servo@lists.mozilla.org, "Patrick Walton" > Sent: Wednesday, July 11, 2012 9:44:01 PM > Subject: Re: [dev-servo] State of Servo > >> I'm more concerned about runtime b

Re: [dev-servo] State of Servo

ike a good time to study up on how it's implemented. - Original Message - From: "Brendan Eich" To: rob...@ocallahan.org Cc: dev-servo@lists.mozilla.org, "Patrick Walton" Sent: Wednesday, July 11, 2012 9:44:01 PM Subject: Re: [dev-servo] State of Servo > I'

Re: [dev-servo] State of Servo

On Fri, Jul 13, 2012 at 10:52 AM, Andrew McCreight wrote: > Maybe you are thinking of translation validation [1]? > Yes, that! Rob -- “You have heard that it was said, ‘Love your neighbor and hate your enemy.’ But I tell you, love your enemies and pray for those who persecute you, that you may

Re: [dev-servo] State of Servo

- Original Message - > On Fri, Jul 13, 2012 at 1:40 AM, Andrew McCreight < > amccrei...@mozilla.com > wrote: > Type preserving compilers are pretty great, because you can spot a > large number of compiler bugs without even running the program > you've compiled, but due to the very new natur

Re: [dev-servo] State of Servo

On Fri, Jul 13, 2012 at 1:40 AM, Andrew McCreight wrote: > Type preserving compilers are pretty great, because you can spot a large > number of compiler bugs without even running the program you've compiled, > but due to the very new nature of Rust and the use of LLVM as the backend > it seems uns

Re: [dev-servo] State of Servo

- Original Message - > On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich > wrote: > > > I'm more concerned about runtime bugs -- the usual free memory read > > during a virtual call. Rust will have vtbls, IIRC, and it takes only one > > rooting or refcounting bug to enable an attacker to recl

Re: [dev-servo] State of Servo

On Thu, Jul 12, 2012 at 6:40 PM, Brendan Eich wrote: > Robert O'Callahan wrote: > > You could use NaCl without the Pepper baggage. >> > > How does this work? NaCl has its own libc and all the usual. I haven't had > time to play with it, but in a browser instead of Unix system calls, it > bottoms

Re: [dev-servo] State of Servo

Robert O'Callahan wrote: On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich > wrote: I'm more concerned about runtime bugs -- the usual free memory read during a virtual call. Rust will have vtbls, IIRC, and it takes only one rooting or refcounting bug to enabl

Re: [dev-servo] State of Servo

Brendan Eich wrote: Google Native Client [2] is a leading CFI-enforcing compiler and runtime system. Anyone know of better? MSR had Xax [3] but it seems defunct. devd (Devdatta Akhawe, whom I had not met yet) on #developers corrected me: NaCl does SFI, not CFI. SFI goes way back, R. Wahbe,

Re: [dev-servo] State of Servo

On Thu, Jul 12, 2012 at 4:44 PM, Brendan Eich wrote: > I'm more concerned about runtime bugs -- the usual free memory read during > a virtual call. Rust will have vtbls, IIRC, and it takes only one rooting > or refcounting bug to enable an attacker to reclaim the live object's vtbl. > At least, t

Re: [dev-servo] State of Servo

Robert O'Callahan wrote: On Thu, Jul 12, 2012 at 7:08 AM, Brendan Eich > wrote: Unsafe native code is one issue, but bugs in the smaller TCB of the Rust compiler and runtime that compromise CFI could still be exploited, fully in our experience in Firefox a

Re: [dev-servo] State of Servo

On Thu, Jul 12, 2012 at 7:08 AM, Brendan Eich wrote: > Unsafe native code is one issue, but bugs in the smaller TCB of the Rust > compiler and runtime that compromise CFI could still be exploited, fully in > our experience in Firefox and other Gecko/SpiderMonkey-based apps. > > So I wonder whethe

Re: [dev-servo] State of Servo

Patrick Walton wrote: On 7/11/12 10:09 AM, Ian Melven wrote: Also, in general, i'm pretty curious about Servo's process model and its security architecture, maybe that's best discussed in a new thread though (I really need to take some time to understand Rust better as well). My particular inte

Re: [dev-servo] State of Servo

On 7/11/12 10:09 AM, Ian Melven wrote: Also, in general, i'm pretty curious about Servo's process model and its security architecture, maybe that's best discussed in a new thread though (I really need to take some time to understand Rust better as well). My particular interest is in how Servo

Re: [dev-servo] State of Servo

Hi, just joined the list and making a small note in reply to this thread : On Wednesday, June 27, 2012 7:19:13 PM UTC-7, Boris Zbarsky wrote: > On 6/27/12 6:49 PM, Robert O'Callahan wrote: >> and CSP can't actually dynamically change the origin of a >> document, can they? If they can we'd bet