Can someone please help me clear something up, as I have not been able to figure it out for sure myself...
If I understand correctly, it is possible to perform these exploits with JavaScript. What about without?
Let's say I set javascript.enabled=false, is it possible to do break out of the browser's sandbox with just HTML5 + CSS? I have read that today it is "Turing-complete"...
I understand the only way it can be exploited in javascript relies on access to a very precise timing API, which is trivial for browser vendors to make less precise. I wouldn't worry too much about javascript at least as far as this vulnerability is concerned.
Because of javascript's wide surface area, it's nigh-impossible for browser manufactures to be sure that they've disabled indirect access to timing data.
The original proof of concept didn't even use a "precise timing API", it features `while(true){ i++; }` to increment a counter, and pulled timing information out of that side-channel.
It is trivial for the browser vendors to disable access to a specific API, but we're in for a game of whack-a-mole.
Dismiss the exploitability of javascript at your own peril - sure, WebWorkers and SharedArrayBuffer are this week's blocked timing attack, but smart money says there are other ways to get timing information that are unpatched.
Direct use of timing APIs isn't the only channel; it's also possible to make your own timer by having another thread increment a shared variable in a tight loop. Firefox has banned SharedArrayBuffer to block one way of arranging this, but there may be others. https://security.stackexchange.com/questions/177033/how-can-...
If that's the case, how is the virus going to infect my computer unless I run untrusted code I downloaded on purpose? And if I'm doing that then I am accepting I'm likely going to get hacked, before and after Spectre/Meltdown, so how exactly are they making the situation worse?
An attacker needs the ability to compute on your local machine. Javascript is the way to do that in a browser.
With just CSS this should be impossible/ very unlikely. I guess it is probably technically possible, but I do not expect to see exploits using just CSS.
If I understand correctly, it is possible to perform these exploits with JavaScript. What about without?
Let's say I set javascript.enabled=false, is it possible to do break out of the browser's sandbox with just HTML5 + CSS? I have read that today it is "Turing-complete"...