Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday February 28 2018, @06:07PM   Printer-friendly
from the just-use-lynx-and-elm dept.

Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.

A few days ago there was a lot of chatter about a 'keylogger' built in CSS.

Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.

While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.

Source : Third party CSS is not safe


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Wednesday February 28 2018, @09:27PM (5 children)

    by Anonymous Coward on Wednesday February 28 2018, @09:27PM (#645406)

    Unfortunately nobody knows how to design webpages anymore. The entire layout breaks down because it's some garbage hammered together in a manner wherein the layout isn't preserved if styles are turned off (properly designed HTML pages of ages past would render correctly because devs didn't assume the web was some majical WYSIWG thingamabob).

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1  
  • (Score: 4, Interesting) by lentilla on Thursday March 01 2018, @02:24AM (4 children)

    by lentilla (1770) on Thursday March 01 2018, @02:24AM (#645572)

    No, the websites of today are far better than those of the past.

    I do; however; understand how you have reached the conclusion that "nobody knows how to design webpages anymore". In the past; if you "turned off styles", the most that would likely happen is the text was in black-and-white, the fonts lost their bling, but the page more-or-less looked the same. The graphics stayed put and the page layout was basically the same. Now-a-days, "turn off styles" and the entire page falls apart - everything in a single long column and stuff that was on the right-hand of the page now appears at the bottom of the column.

    That is by design. In fact, it was the web-designers of the past who were in error. (It wasn't their fault - more on that below.)

    You remember all that high-minded talk about separation of content and presentation? Well, in the bad old days, it really was just talk. Due to the horrid compliance to web "standards", the only way a web designer could make a webpage stay together was to use nasty little tricks. (Microsoft's Internet Explorer holds the lion's share of the blame here.) Web-design was pretty much the antithesis of programming - nothing was deterministic, and the page would render ten different ways in five different browsers and sometimes changed depending on the wind.

    The main dirty tricks used in the past were tables and frames. Whilst it worked (sort-of), doing so created an entire class of other problems. Fragility was one. Remember "Best designed for Internet Explorer at 800x600 resolution"? Yuck. The other big looser was semantic context. Our brain is pretty good at turning a page into information, but I would have hated to rely on a screen reader to parse a single webpage. Today, despite the seemingly random jumble of text when styles are turned off, the page is much more transparent to screen readers and other automated systems.

    So time moved on and today we have HTML5. Which; for anyone who was forced to design webpages in the past; is a thing of true beauty. It follows the "principle of least surprise" (mostly), the language can be regular (you can treat it as XML and validate your code - yeah, can you imagine a programming language where nobody could tell you if it was syntactically correct? Yep, that was HTML in the past.) Semantic tags allow us to identify the purpose of content on our page. One example is having "navigation section" tagged with a <nav> tag which is immediately obvious to screen readers.

    CSS ("styles") go hand-in-glove with HTML5. The HTML describes the content and the CSS describes the presentation. After years of being a pipe-dream it's more-or-less possible to achieve separation. On the first level, CSS allows the designer to specify fonts and colours. On the second level, there is something called the "box model" which allows placement of elements of the page. On the third level, a properly designed page will flow correctly no matter what size the page is being rendered on. Like was originally intended - before HTML in reality became a bastardised version of a PDF that would break when the wind changed.

    The downside to all this magic is that the webpage falls apart when styles are turned off. Trust me, it only falls apart visually. (Unsurprising, since you turned the "visual" part off.) At the same time, the page remains utterly readable to machines.

    Having a webpage fall apart is a worthwhile price to pay. So many, many man-years of programmer time were wasted in the intervening years.

    • (Score: 0, Touché) by Anonymous Coward on Thursday March 01 2018, @04:03AM

      by Anonymous Coward on Thursday March 01 2018, @04:03AM (#645598)

      No, the websites of today are far better than those of the past.

      Ha! Good one. Oh, wait, you're serious?

      BWAAAHAHAHAHAHAHAHAHAHAHAHA!

    • (Score: 4, Insightful) by maxwell demon on Thursday March 01 2018, @06:57AM (1 child)

      by maxwell demon (1608) on Thursday March 01 2018, @06:57AM (#645645) Journal

      The number of properly designed pages is very low. And many current web sites are a load of JavaScript anyway, and without JavaScript, you get displayed none of the content (how does that work with screen readers?) And those which aren't typically have a hard-coded width; if shown on a big window, you just get loads of blank on both sides; even worse, if the font is too small on your display and you magnify it, the column doesn't get wider, but there just fits less text on that tiny column.

      No, the good old time was when web designers didn't yet exist. People would write web pages that worked well without placement. Yes, browsers would render them slightly different, but that was expected and didn't matter, because the pages just contained the information.

      Now in theory, using CSS you can write designed web pages that don't fall apart when CSS is disabled. No, you won't get fancy designs that way, but things can be in a logical order, and there are still the logical tags like h1, h2, em, strong, etc. It's just that few people care to do that. So in theory, CSS was a godsend. But in reality, web designers don't use it well.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by Pino P on Thursday March 01 2018, @10:00PM

        by Pino P (4721) on Thursday March 01 2018, @10:00PM (#646032) Journal

        and without JavaScript, you get displayed none of the content (how does that work with screen readers?)

        According to Mother Effing Tool Confuser [mothereffingtoolconfuser.com], web browsers that output speech execute JavaScript in the same way as visual ones. They just use the stylesheet's voice properties instead of its visual properties, and they use ARIA attributes to announce important elements to the user.

    • (Score: 0) by Anonymous Coward on Thursday March 01 2018, @03:49PM

      by Anonymous Coward on Thursday March 01 2018, @03:49PM (#645813)

      Yes, instead in our brave new world we have "Best viewed with Google Chrome", alongside myriads of CSS hacks meant to work around browser specific deficiencies (that bog down every other browser by virtue of being forced to log and deal with invalid CSS not meant for it), webpages composed of 40+ layers of nested content-less divs, AJAX that silently loads page components and mysteriously breaks if a connection times out, web pages trying to do the browser's job and lazy-load images (so now we can't even get images w/o scripting).

      ...as for it being easier for machines to understand webpages. If this were actually the case we would be seing an uptick in browser diversity, instead there're really just one rendering engine to rule them all now (with the remaining alternatives milling about in a morass of increasing irrelevance).