SoylentNews is people
SoylentNews
Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 5, Interesting) by requerdanos on Wednesday February 28 2018, @06:49PM (15 children)
I am webmaster and/or server admin for several sites. The ones where I have editorial control and decision-making power, I eliminate third-party content as a standard practice.
But some (a wordpress full of plugins, for example) just don't work that way because of the toxic phone-home viewpoint pervasive in the technology industries.
Just as your home automation used to be, years ago (think X10), based on devices you own that do their work in your home, and now are expected to be on devices (think Alexa) you license, who do no work but simply turn everything over to their masters back at the home office, so website features used to be things that you coded into your website, that ran on your server, but now are expected to be simply references to some master back at the home office on a third party server.
In both cases, I think this is the wrong way to go.
Google fonts/analytics? bzzt. I request fonts in css with graceful fallback to sans, serif, mono, etc, and analyze my web logs.
Just insert this iframe ad code? Bzzt. If I want to add a link, I add a link, not an iframe. I am working on writing an ad distribution network where the ads live on the server and are part of the web site that displays them, and are counted by tiny graphic elements within the ad that the user can cheerfully choose to not load, just like the ads themselves which will be clearly delineated with something like <div id="here-be-ads-matey">.
This handy web 2.0, 3.0, 9.0 widget, just add this code to call the javascript code on our servers? Bzzt. This is the wrong approach!
I wish the people that made web pages would adopt this view. It affects everyone who looks at a web page, but the page makers are the group that accept or reject these technologies in a way that makes them successful or not.
If that doesn't happen, then third-party content being unsafe will still be true, but will remain unavoidable. Because it is completely avoidable, that would be a security-hating shame.
(Score: 3, Insightful) by Arik on Wednesday February 28 2018, @07:07PM (5 children)
The only way I can see, at this point, to force any sort of sane web practices would be for browsers to start enforcing sanity and after so many years of bending over backwards in the other direction that doesn't exactly seem likely. As long as they can get away with it, they're going to keep doing it, and what's more bad eventually drives good out of the market in that situation - each year fewer and fewer people will bother to pay for skilled labor to do it right when they see everyone else has gone cheap and gets away with it.
If laughter is the best medicine, who are the best doctors?
(Score: 4, Informative) by requerdanos on Wednesday February 28 2018, @07:51PM (2 children)
Some of our big browser vendors are Microsoft "You Will Be Windows Ten-ilated; resistance is futile" "Meet Cortana!" and Google "Hey Google, how are your analytics looking for my sites and their googlefonts?"
So, yeah, no, not likely-looking.
It's not just apathy among coders. The decision makers are often intelligent people who are really good at what they do (but it isn't IT, it's fixing cars, or practicing law, or doing surgery, or practicing medicine, etc.).
These people, having management skills, hear "That great (tool|technology) you read about isn't a good fit for your site because it requires dependence on third party inclusions." And they say something like "But if you just did what I said, it would work fine, and most people don't care, right? Get to it if you want to keep getting paid."
It's like why people who otherwise wouldn't choose to still run Microsoft operating systems. Their job/executive funding source doesn't want to lead anyone to freedom, they just want to lead their company to income, and technology that doesn't respect anyone or anything is widely accepted to a degree that it's easy to just use it and say "it was industry best practices. I was doing good for my company."
Stallman, who is an admitted nut, is right on this. If you agree, tell him so [fsf.org].
(Score: 3, Insightful) by Arik on Thursday March 01 2018, @12:11AM (1 child)
Time has proven me wrong. If anything, he's minimized it.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @12:59AM
What appeared to be "resume.doc" on my website used to link to the above essay.
I put that link on my website roughly twenty years ago. The recruiters still ask for word resumes.
It eventually occurred to me that their resume retrieval applications were hardwired to parse word .doc documents. For word attachments to become a thing of the past, all those body shops would need new versions of those applications. For that to happen, those applications' vendors would have to lift a finger.
I finally sidestepped the problem by removing my resume from the web. Its old URL still works but it redirects to my homepage.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Insightful) by el_oscuro on Thursday March 01 2018, @01:52AM (1 child)
They do. It's called content-security-policy. If a website implements it, it nukes XSS from orbit. your browser literally says "fuck you" to any in-line or unknown third party JavaScript. The reason it isn't implemented is because it totally breaks the shitty ad model. Websites would have to *actually* host their own ads or at least know exactly where they came from.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by canopic jug on Thursday March 01 2018, @06:08AM
Or they could just do ads without infecting viewers with javascript. There's no technical reasons that the ads could not be plain PNG, JPEG, or GIF. I'm not sure about APNG but maybe that too. On the other hand there are many reasons not to include scripts, especially from the viewpoint of those targeted to receive said scripts. There is now even a word for the malware that spreads through the advertisements, malvertising [wired.com], and it's not a new thing either.
Brendan Eich, who developed javascript, himself even says you should block javascript used for 3rd party trackers, fingerprinting, and ads. Though that is said as part of his promotion of his new browser, Brave [brave.com].
Money is not free speech. Elections should not be auctions.
(Score: 2) by stretch611 on Wednesday February 28 2018, @09:49PM (2 children)
Unfortunately, many web "developers" rely on 3rd party code as a crutch. If they did not use 3rd party content they would have to write the code themselves.
Even the developer of the linked article uses 3rd party content... He has commenting provided by Disqus. (I did not try to look for any, but that was obvious.)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by requerdanos on Wednesday February 28 2018, @10:13PM
Well, I believe that's because of this pervasive phone-home mindset.
Before that mindset took hold here, it was "If they did not use third party content then they would have to copy and paste the code into their own site."
Since having things work autonomously on the server of the website is no longer important, most code doesn't work nowadays unless it's in touch with the mothership.
I am kind of anti-mothership. Snowden is a hero.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @02:45PM
I've started to use third party CSS, but it is served from my servers rather than use a CDN.
I'm.. not sure if this counts as bad or not (from your point of view).
I will totally admit it is a crutch though. I find CSS very frustrating to work with and since I started using this framework, I've finished doing CSS-related stuff and still been in a good mood at the end of it!
(Score: 2) by el_oscuro on Thursday March 01 2018, @02:12AM (5 children)
I am also a webmaster, and would love to have ads that I host myself. I you have something, I am definitely interested. I'm hoping to fully implement content-security-policy [google.com], which completely nukes XSS and any other shitty third party content. It also nukes the shitty ad model website use today, which is literally written in XSS.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by Pino P on Thursday March 01 2018, @10:14PM (4 children)
I agree that web ads are broken. But what not-broken revenue model would you prefer?
(Score: 2) by Justin Case on Thursday March 01 2018, @10:56PM (3 children)
None.
Maybe you consider that "broken", but the web was a lot better before all the fast-buck artists showed up.
People who thought they had something worth saying paid a few bucks a year for web hosting to get their message out, or share their software, or whatever they'd created that seemed worthwhile to them. Participants in this "sharing economy" invariably got a thousand times more out than they put in, and the freeloaders weren't much of a burden.
Then a billion assholes showed up, all thinking "how can I get rich from other people's work?" and it has plummeted downhill like a rocket-powered bobsled ever since.
Our big mistake was making it easy for idiots. We need to return to the days when a little technical knowledge was required as a small barrier to entry.
(Score: 2) by Pino P on Friday March 02 2018, @01:54AM (2 children)
A return from a commercially dominated web to a hobbyist-dominated web would decrease the demand among viewers for Internet access, which would in turn make it no longer economical for your ISP or its competitors in your area (if any) to continue to offer high-speed Internet access at an affordable rate.
(Score: 2) by Justin Case on Friday March 02 2018, @12:59PM (1 child)
You don't need high speed when a page is only 40K. And it was not only affordable, you had many providers to choose from, which kept prices down and service up.
(Score: 2) by Pino P on Friday March 02 2018, @03:59PM
Though dial-up was competitive, you did need a POTS line, and many households have long since given that up in favor of a cellphone.
How would amateur video be transmitted over such an infrastructure? Mail order DVD+R?