[infotogivenm]

Yes. I think this is a common misconception.

These attacks work fine in the browser, as researchers continue to show. They allow complete bypass of any native app sandboxing layers. Surely you don't run everything on your box as root all the time.

[markmark]

Can you link to a hosted example of one of these. That would convince people nicely. Someone linked to one in a similar discussion yesterday but it didn't work anymore in currently patched browsers.

[mjrow]

I'll keep HT on because I use NoScript and I encourage others to do the same.

[d33]

Meh. It doesn't require Javascript for your computer to run logic described by others. Browsers are such complex machines that it wouldn't surprise me if you could for example craft a malicious SVG that would bypass that, or a turing-complete CSS file that triggers a vulnerability...

By the way, does NoScript actually block in-SVG javascript?

[nightfly]

in-SVG javascript only gets executed when viewing a SVG document (and maybe an <embeded> svg docuemnt), not when viewing an SVG in a img tag.

[dual_basis]

Sure, but we all take risks every day. If you're worring about turning-complete CSS files exploiting Spectre and Meltdown then you probably don't leave the house much.

[ben_w]

We know that attackers have reason to exploit literally all compute resources they can find a way to access. This is more like worrying about leaving the house during an epidemic of exploding ebola-infected pigeons — if you can do something about it, you should.

[dual_basis]

Attackers also have to consider cost/benefit analysis when evaluating methods of attack. Claims that "CSS is Turing complete" require a user to act as a "crank" [0], so there are lower-hanging fruit out there than trying to program complicated logic which can utilize the Meltdown / Spectre exploits in CSS.

[0] https://news.ycombinator.com/item?id=10734966