Browser version numbers are misleading
garrett opened this issue · 1 comments
garrett commented
Using browser versions on our running/install page (https://cockpit-project.org/running.html) is misleading:
- There are numerous security issues in older browsers
- Some of these issues are quite bad and could take over a system
- Exploits exist in the wild and can attack some browser versions even just one release back (in some cases)
- A compromised system can affect not just the system the browser runs on, but possibly any system it connects (using any connection method, like SSH, VNC, RDP, and even Cockpit)
- Compromised systems can possibly run keyloggers (sniffing out passwords)
- It's tied to version numbers, whereas Cockpit checks for browser functionality, not specific browsers or versions (as it should).
For the reasons listed above, I suggest we refocus the browser version block on the install page and stress the importance of using up-to-date browsers instead of specific versions.
Perhaps we should even mirror Cockpit's login check with JavaScript on that page and show if the current browser is supported or not.
garrett commented
For reference, here are the checks we perform on the login page:
https://github.com/cockpit-project/cockpit/blob/master/src/ws/login.js#L119-L176
The most important block of checks are:
return ("MozWebSocket" in window || req("WebSocket", window)) &&
req("XMLHttpRequest", window) &&
req("sessionStorage", window) &&
req("JSON", window) &&
req("defineProperty", Object) &&
req("console", window) &&
req("pushState", window.history) &&
req("textContent", document) &&
req("CSS", window) &&
req("supports", window.CSS) &&
css("display", "flex") &&
css("display", "grid");