SoylentNews is people
SoylentNews
Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 2) by RS3 on Wednesday February 28 2018, @06:41PM (15 children)
All of this code-bloating functionality being added to webpages and browsers, and we have to bloat some more with add-ons, extensions, and plugins just to stop all of it. If only someone would make a slimmed-down simplified browser... let's name it, I don't know, maybe something hot and sly. (cough cough)
"disable-HTML" purports to block several things including css. Trying it now... seems to work! Here'a link for chrome-based browsers:
https://chrome.google.com/webstore/detail/disable-html/lfhjgihpknekohffabeddfkmoiklonhm?hl=en-US [google.com]
"uMatrix" also does this, well. I like it, but it's a bit of work to teach it.
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 28 2018, @07:05PM (11 children)
I could have sworn that disabling external fonts was a standard feature in at least one browser. Disabling CSS should be easier. Custom stylesheets might require a plugin.
(Score: 2) by maxwell demon on Wednesday February 28 2018, @07:23PM (10 children)
Indeed, Firefox has an option for it right in its menu (or maybe had? I don't know what changed in the latest versions).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Informative) by Anonymous Coward on Wednesday February 28 2018, @09:27PM (5 children)
Unfortunately nobody knows how to design webpages anymore. The entire layout breaks down because it's some garbage hammered together in a manner wherein the layout isn't preserved if styles are turned off (properly designed HTML pages of ages past would render correctly because devs didn't assume the web was some majical WYSIWG thingamabob).
(Score: 4, Interesting) by lentilla on Thursday March 01 2018, @02:24AM (4 children)
No, the websites of today are far better than those of the past.
I do; however; understand how you have reached the conclusion that "nobody knows how to design webpages anymore". In the past; if you "turned off styles", the most that would likely happen is the text was in black-and-white, the fonts lost their bling, but the page more-or-less looked the same. The graphics stayed put and the page layout was basically the same. Now-a-days, "turn off styles" and the entire page falls apart - everything in a single long column and stuff that was on the right-hand of the page now appears at the bottom of the column.
That is by design. In fact, it was the web-designers of the past who were in error. (It wasn't their fault - more on that below.)
You remember all that high-minded talk about separation of content and presentation? Well, in the bad old days, it really was just talk. Due to the horrid compliance to web "standards", the only way a web designer could make a webpage stay together was to use nasty little tricks. (Microsoft's Internet Explorer holds the lion's share of the blame here.) Web-design was pretty much the antithesis of programming - nothing was deterministic, and the page would render ten different ways in five different browsers and sometimes changed depending on the wind.
The main dirty tricks used in the past were tables and frames. Whilst it worked (sort-of), doing so created an entire class of other problems. Fragility was one. Remember "Best designed for Internet Explorer at 800x600 resolution"? Yuck. The other big looser was semantic context. Our brain is pretty good at turning a page into information, but I would have hated to rely on a screen reader to parse a single webpage. Today, despite the seemingly random jumble of text when styles are turned off, the page is much more transparent to screen readers and other automated systems.
So time moved on and today we have HTML5. Which; for anyone who was forced to design webpages in the past; is a thing of true beauty. It follows the "principle of least surprise" (mostly), the language can be regular (you can treat it as XML and validate your code - yeah, can you imagine a programming language where nobody could tell you if it was syntactically correct? Yep, that was HTML in the past.) Semantic tags allow us to identify the purpose of content on our page. One example is having "navigation section" tagged with a <nav> tag which is immediately obvious to screen readers.
CSS ("styles") go hand-in-glove with HTML5. The HTML describes the content and the CSS describes the presentation. After years of being a pipe-dream it's more-or-less possible to achieve separation. On the first level, CSS allows the designer to specify fonts and colours. On the second level, there is something called the "box model" which allows placement of elements of the page. On the third level, a properly designed page will flow correctly no matter what size the page is being rendered on. Like was originally intended - before HTML in reality became a bastardised version of a PDF that would break when the wind changed.
The downside to all this magic is that the webpage falls apart when styles are turned off. Trust me, it only falls apart visually. (Unsurprising, since you turned the "visual" part off.) At the same time, the page remains utterly readable to machines.
Having a webpage fall apart is a worthwhile price to pay. So many, many man-years of programmer time were wasted in the intervening years.
(Score: 0, Touché) by Anonymous Coward on Thursday March 01 2018, @04:03AM
Ha! Good one. Oh, wait, you're serious?
BWAAAHAHAHAHAHAHAHAHAHAHAHA!
(Score: 4, Insightful) by maxwell demon on Thursday March 01 2018, @06:57AM (1 child)
The number of properly designed pages is very low. And many current web sites are a load of JavaScript anyway, and without JavaScript, you get displayed none of the content (how does that work with screen readers?) And those which aren't typically have a hard-coded width; if shown on a big window, you just get loads of blank on both sides; even worse, if the font is too small on your display and you magnify it, the column doesn't get wider, but there just fits less text on that tiny column.
No, the good old time was when web designers didn't yet exist. People would write web pages that worked well without placement. Yes, browsers would render them slightly different, but that was expected and didn't matter, because the pages just contained the information.
Now in theory, using CSS you can write designed web pages that don't fall apart when CSS is disabled. No, you won't get fancy designs that way, but things can be in a logical order, and there are still the logical tags like h1, h2, em, strong, etc. It's just that few people care to do that. So in theory, CSS was a godsend. But in reality, web designers don't use it well.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Thursday March 01 2018, @10:00PM
According to Mother Effing Tool Confuser [mothereffingtoolconfuser.com], web browsers that output speech execute JavaScript in the same way as visual ones. They just use the stylesheet's voice properties instead of its visual properties, and they use ARIA attributes to announce important elements to the user.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @03:49PM
Yes, instead in our brave new world we have "Best viewed with Google Chrome", alongside myriads of CSS hacks meant to work around browser specific deficiencies (that bog down every other browser by virtue of being forced to log and deal with invalid CSS not meant for it), webpages composed of 40+ layers of nested content-less divs, AJAX that silently loads page components and mysteriously breaks if a connection times out, web pages trying to do the browser's job and lazy-load images (so now we can't even get images w/o scripting).
...as for it being easier for machines to understand webpages. If this were actually the case we would be seing an uptick in browser diversity, instead there're really just one rendering engine to rule them all now (with the remaining alternatives milling about in a morass of increasing irrelevance).
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:15AM (3 children)
otherwise I can't log in to one of my very favorite websites of ill repute.
After doing this too many times I just switched to Chrome.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by RS3 on Thursday March 01 2018, @02:11AM (2 children)
Have you tried Vivaldi? I'm using it a lot (like now). It's chrome-based, and I think it's slightly faster, but I haven't done a 1-to-1 comparison. Most software, cleaners, plugins, etc., see it as chrome. I just like the UI and settings better.
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @07:39AM (1 child)
I'll give it a try this weekend.
Really I prefer Safari to Chrome. Hopefully I will prefer Vivaldi to Safari.
Safari doesn't have an API for Add-Ons.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by RS3 on Thursday March 01 2018, @03:07PM
You're so kind, thank you. There are too many browsers out there. I've been using Dolphin on Android (when I'm not near a bigger computer) and it's pretty cool. I've also been using Opera Mini on Android. Ever since a Chinese company bought Opera I'm cautious- nothing involving $, personal info, logins, etc., is done on Android.
I do use Safari on MacOS, but I've never tried it on PC.
I'm curious how you like Vivaldi. They update it fairly regularly. I'm not a fan of auto-updaters, and every time you update Vivaldi it turns on: (upper-left "V" button) --> Tools --> Settings --> Updates --> Notify About Updates, which just starts and runs update_notifier.exe.
Extensions I have installed (there are so many available), but not necessarily turned on, are:
Adblock Plus
AdGuard AdBlocker
DuckDuckGo Privacy Essentials (DuckDuckGo is the default web search for Vivaldi)
Fair AdBlocker
Fair AdBlocker App
Fair Ads
Script Blocker for Chrome
Script Defender
Extensions I have installed and usually turned on:
disable-HTML
HTML5 Video Autoplay Blocker
Disable HTML5 Autoplay
Privacy Badger
uBlock Adblock Plus
uBlock Origin
uBlock Origin Extra
Video Blocker by plowman
Awesome extension, on when I'm super-cautious, bit of a learning curve including that you teach it as you go:
uMatrix
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:14AM (2 children)
"One of my customers complained that his computer was slow. He had nine toolbars." -- Thomas Leavitt [880itservices.com].
You can make something foolproof but you can't make it damnfool-proof.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by maxwell demon on Thursday March 01 2018, @07:01AM (1 child)
There is no inherent reason why a toolbar should make your computer slow (unless you are low on memory). A well-designed toolbar should just sit there until you use it, without eating resources (other than the little that is needed to display it; but note that otherwise something else would be displayed at that place).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Touché) by MichaelDavidCrawford on Thursday March 01 2018, @07:37AM
I Rest My Case.
Yes I Have No Bananas. [gofundme.com]