I discovered a browser bug

I can echo his experience reporting browser bugs and provide my own reviews:<p>Firefox - By far the best. Quick response, usually from engineers. If it&#x27;s important the fix will be quick.<p>Edge - No reply for months &#x2F; years. When I&#x27;ve gotten replies back it&#x27;s been to ask me to try with the current version. When I do and the bug still exists it goes back at the bottom of the queue it seems.<p>Chrome - Somewhat of a mixed bag. Some times responses are quick, some times they are from engineers. But most often I get replies that convey the person I&#x27;m speaking too is a very green QA type. I&#x27;ve gotten replies that the test case I provided them doesn&#x27;t reproduce the bug, because they had attempted loading it with the file:&#x2F;&#x2F; protocol (of course hardly anything works with the file protocol). I&#x27;m not sure, do they expect me to include a web server for them?<p>Safari - Only tried a couple of times, never gotten a whisper back.<p>I would rate my experiences as:<p>Firefox - A+<p>Chrome - C<p>Edge - D<p>Safari - F

The Microsoft experience reminded me of the time when security@apple.com went to the building security office, who just quietly deleted bug reports. Poor processes amd communication is one of the worst classes of security problem.

It&#x27;s quite incredible how the web managed to get along with such a janky sandbox model.<p>It&#x27;s a very important thing that users trust their browser and won&#x27;t hesitate a second to enter an unknown URL. They see &quot;going to a webpage&quot; as the equivalent to looking at a poster in the street, not eating candy provided by a random stranger.<p>Eroding this trust would ruin it for everyone, even well behaved static websites without javascript.<p>Maybe it&#x27;s time to reconsider giving the same execution rights to gmail and unknown web pages ?

&gt; Oh, I guess the vulnerability needs an extremely tenuous name and logo right? Here goes<p>I admire the extra touch here :)

I, too, discovered a browser bug. Specifically with mutation observers in Safari (but not Chrome, or other WebKit-likes) in a particular DOM event scenario. Fully replicable. Not a word from any team at Apple, no acknowledgement of the bug, no acknowledgment of the issue.<p>The situation is a common one wrt SPAs, routing, and changing a tree based on history state. I&#x27;m sure other frameworks have run into it. My brief experience documenting the issue solidified the position that I will never do it again.

This is really nice research! Simple, effective, and brutal.<p>This reminds me of the research that went into finding issues in the media plugin models. Essentially, once the security community discovered that Java and Flash, etc, plugins didn&#x27;t follow the same rules as the browser at all times - it became a free bug hunting exercise until the media plugin model just died.<p>I expect there are some &quot;side channel&quot; type ways to create high resolution timers in browsers which have removed built in support for them, for instance: WebAssembly? WebGL subroutines?<p>Anyway, congratulations.

This was such a nasty bug for Edge. Visiting any page means I could now read your private Messenger messages, or your email. You could even automate resetting the password to an account, and then automatically exfiltrating the URL!

That&#x27;s a really well-explained and clearly presented writeup of the bug and how it can be exploited as a vulnerability.

I&#x27;ve found a couple of browser bugs in different browsers (but nothing security-related). Nothing I&#x27;ve reported to browser teams has ever been fixed, even with simple standalone test cases. It&#x27;s definitely easier just to write a workaround and call it good.

Microsoft claims to be developer friendly these days, but they are clearly not white-hat friendly.

Another symptom of browser specs getting too complicated.

This just happened to be two anecdotes with 2 browser dev teams that should not be generalized.<p>Everyone who has to deal with n-th layer tech support regularly (where n &gt; 2) knows that even there it&#x27;s hit or miss. Sometimes you file a bug report and get a &quot;thanks, fixed!&quot; an hour later. Sometimes you spend an hour to gather all the data upfront only to be painstakingly taken through the exact same data gathering process step by step. By email. Over days. On a &quot;4h response&quot; SLA (and they always just barely make it, not considering the value of the &quot;response&quot;).<p>Randall Munroe has the best description: <a href="https:&#x2F;&#x2F;www.xkcd.com&#x2F;806&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.xkcd.com&#x2F;806&#x2F;</a>

I&#x27;m not familiar with the Web Audio APIs, was the Edge bug effectively interpreting the stream of bytes from the cross origin request as an &#x27;audio stream&#x27;, and then the OP just wrote a thing to convert it back so it could be converted into a string?

&gt; Lol no.<p>That hurts, Jake :(

Is it Tuesday?

Nice one!

tip of the iceberg?

First paragraph made me chuckle.

<p><pre><code> For example, the request may have the following header: Range: bytes=50-100 …which is requesting bytes 50-100 (inclusive) of the resource. </code></pre> I haven&#x27;t finished the article, but I&#x27;ve seen how this movie ends...

hn bet big money on firefox&#x2F;mozilla? all news for other web browser is bad except firefox. HN now is mozilla&#x27;s Microphone