[omcnoe]

Serious answer, don't use Safari. Use a browser that properly separates webpages into isolated processes so that this kind of cross-site read is not possible.

[goldsteinq]

There’re no other browsers on iPhone. Every iPhone browser is a reskin of Safari. They’re in theory supposed to allow other browsers in the EU, but AFAIK it has not happened yet.

[prmoustache]

Then don't use an iPhone until it is patched.

[hashstring]

What about turn JS off on your favourite iOS browser?

[prmoustache]

That wouldn't prevent possible malware apps using WKWebview from getting out of the jail they are running out right?

[hashstring]

Yes, I agree.

However I also expect that Swift-compiled apps can do this without a web browser component.

It’s a different threat model though, having installed a malicious app vs browsing a malicious site.

[prmoustache]

Which is the reason alongside telemetry I tend to favor using websites over apps.

Having said that there are apps that are considered mainstream and not malicious by the general population but can become a convenient backdoor for, say, a state actor.

[tholdem]

No need to turn JS off. Turn on Lockdown mode which disables Javascript JIT and WASM, which might be enough

[saagarjha]

It’s not.

[walterbell]

Brave on iOS can limit Javascript to trusted sites.

[jmkni]

So could this hypothetically open a mail client on your iPhone and read your emails?

[saagarjha]

No, it doesn’t do cross-address space attacks.

[ragnot]

God I hate Apple sometimes

[amelius]

Will that work? Isn't memory treated in a unified way between processes, at some point?

[saagarjha]

Processors are not supposed to speculate across ASIDs

[goldsteinq]

It will work unless someone forgets to add a public suffix into the public suffix list (as described in the FLOP paper). Both of these attacks target virtual memory pointers.