Hacker News new | ask | show | jobs
by wbxrs 2675 days ago
A website cannot tell a browser to "load malware", unless we're talking about a exploit, which should be patched.

(Please don't say "if I send you a malformed png file you have to execute the exploit, otherwise your argument breaks down".)
4 comments
jfk13 2675 days ago
If I ask my User Agent to load a particular news article (for example), I am not intending to ask for a myriad companies to start monitoring my reading habits, social interactions, shopping, or anything else.

When I buy and read a newspaper, I don't expect the publisher to start following me everywhere and keeping a log of my life. When I read an article online, I shouldn't have to think about that either. But sites have so flagrantly abused the ability to deliver more than just the content I've deliberately requested, in order to track (and monetize) user behavior everywhere, that it's entirely appropriate for my User Agent to take steps to defend me.

I don't mind a site delivering some ads alongside the content I've asked for, just like I accept some ads in a printed magazine. But I don't expect my magazine to come with an embedded tracking device that will stick to me like a burr, even long after I've read the content and recycled the pages.

link
stordoff 2675 days ago
How are you drawing a principled distinction between "if a website tells a browser to load something, the browser should do so" and "a website cannot load malware [except via an exploit]"? Clearly, asking the browser to load an EXE, or run this JavaScript that attacks website X, could be considered malware, so the line is fuzzier than 'if a website asks, a browser should load it'.

'We should patch exploits' and 'all things we would like to not load are considered exploits' seems to be rather begging the question. There is a class of things that use legitimate browser features, but we would prefer to not load by default.

link
scrollaway 2675 days ago
Malware is software that is explicitly designed to disrupt, damage, or gain unauthorized access to a machine.

You are covering the unauthorized access but disrupting/damaging is absolutely possible using plain old HTML and JS.

Privacy advocates argue that it's not only possible but many trackers are guilty of exactly that.

So the browser is in fact blocking malware.

... And yes, if you think about it, that definition does apply to ads as well. Really says something doesn't it :)

link
kirjavascript 2675 days ago
sure they can, unrequested crypto miners running in the background are malware
link
yetihehe 2675 days ago
As opposed to requested crypto miners. I would gladly trade some processor time and energy so that I don't have to watch obnoxious ads.
link