It would be nice to put out some new stuff. Primary motivations: 1. placeholder attributes for textarea/input are everywhere, and often they have no other explanation of their purpose. Having to guess "this is probably for search, this is probably for username, this is probably for password" is no fun. 2. I know there are users just trusting dillo's https, so at the least it would be good for their https dpis to have a better cipher list and to disable SSL3 and compression. And then pick out some small, safe fixes. Just to look at ChangeLog, some candidates might be: - Fix crash that's possible searching for text while page still being built. - Fix for segfault when there's no dpid and view source is requested. - Fix view-source dpi to handle null characters correctly. - Made view-source dpi use CSS formatting (it's shorter and cleaner). - Crosscompile/buildroot-friendly fltk-config test. - Fix X11 icon name. - In location bar, tend toward showing beginning of URL instead of end. - Handle irix's version of vsnprintf(). - Fix bug with font_factor preference and CSS font-size:(larger|smaller). - Recognize Menu key in keysrc. - Avoid requesting background images if an ancestor has display:none. - Ignore built-in search url if any are specified in dillorc.
I wrote:
It would be nice to put out some new stuff.
[snip] Been experimenting with a 3.0.5 branch (hg graft). Jorge: Do you think it would be a good idea to pull in your image changes as well? We've been running on them for a long time and I imagine they wouldn't be entangled to any great degree with anything else.
On Tue, Jun 09, 2015 at 02:50:30PM +0000, eocene wrote:
It would be nice to put out some new stuff.
Primary motivations:
1. placeholder attributes for textarea/input are everywhere, and often they have no other explanation of their purpose. Having to guess "this is probably for search, this is probably for username, this is probably for password" is no fun. 2. I know there are users just trusting dillo's https, so at the least it would be good for their https dpis to have a better cipher list and to disable SSL3 and compression.
SSL3 and compression are not the main issue. HTTPS in dillo is completely broken because it does not check for domain name in the certificate. hg tip has checking code copied from wget and current dillo release has no code for it at all. It means that Dillo accepts any valid certificate as a certificate for, let's say, gmail. You can get one from StartSSL for free and test, it works.
noname wrote:
SSL3 and compression are not the main issue. HTTPS in dillo is completely broken because it does not check for domain name in the certificate. hg tip has checking code copied from wget and current dillo release has no code for it at all. It means that Dillo accepts any valid certificate as a certificate for, let's say, gmail. You can get one from StartSSL for free and test, it works.
Right, I hadn't wanted to do any real New Work for 3.0.5 that would require a somewhat higher level of scrutiny and testing, but all right, I'll take a look at gluing that stuff into the https dpi.
I wrote:
noname wrote:
SSL3 and compression are not the main issue. HTTPS in dillo is completely broken because it does not check for domain name in the certificate. hg tip has checking code copied from wget and current dillo release has no code for it at all. It means that Dillo accepts any valid certificate as a certificate for, let's say, gmail. You can get one from StartSSL for free and test, it works.
Right, I hadn't wanted to do any real New Work for 3.0.5 that would require a somewhat higher level of scrutiny and testing, but all right, I'll take a look at gluing that stuff into the https dpi.
Adapted the name checking to fit into the dpi, plus server name indication while I was at it. Looks like it may be working. I'll push the code to the server later if you can promise to help give it heavy testing in coming days. When you're browsing, if you just change http to https, so many sites that don't expect TLS connections will offer up certificates that are broken in some way. And then try the various cancel/continue combinations...
participants (2)
-
eocene@gmx.com -
noname@inventati.org