SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow3941
Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.
Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.
The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.
The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.
The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to[sic] the way they interact. As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.
The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).
(Score: -1, Redundant) by Anonymous Coward on Monday June 04 2018, @08:58PM (19 children)
The AC is correct: Given agreement between browser and content-creator, it is better to allow the content-creator to decide layout. Obviously.
The browser is just some random courier; I'd much rather have the passionate artist determine presentation.
Perhaps the browser and the server should negotiate display characteristics. This could be simplified by defining standard characteristics, such as "A4" size, and various dimensions used by smartphones, tablets, and the like.
The web is such a shitty lets-be-first-to-market-then-go-rock-climbing-in-Europe-because-we-are-fit-20-something-year-old-beautiful-people kind of place.
(Score: 2) by tangomargarine on Monday June 04 2018, @09:31PM (8 children)
Whoever modded it probably didn't mean Disagree. AC was needlessly rude to who they were replying to.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: -1, Offtopic) by Anonymous Coward on Monday June 04 2018, @09:47PM (7 children)
A troll is a person who tries to get a rise out of another person just for the sake of getting a rise out of that other person. Feigning ignorance, or willfully stating falsehoods as facts, etc., are examples of trolling. Expressing an opinion is not trolling. EVER.
You can't explain that someone's idea is, in fact, idiotic without implicitly telling that person that he is, partially, an idiot. The wise man accepts ridicule as an important signal that he needs to introspect; the wise man is thankful for ridicule, not only because it is a salve for his wrongheadedness, but also because it is a source of laughter when the other party is the one suffering from wrongheadedness.
If you call an unkempt person "physically unattractive", then it stings because it is true; however, if you call a highly paid supermodel "physically unattractive", then it's just a fart in the wind that nobody cares about.
(Score: 2) by tangomargarine on Monday June 04 2018, @09:58PM (6 children)
You can tell people they're wrong without personally insulting them.
Personally I would go with "Flamebait" over "Troll" but they're practically synonyms in my book.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0, Disagree) by Anonymous Coward on Monday June 04 2018, @10:16PM (5 children)
Telling someone he's wrong means you're telling someone that he's wrongheaded, which means you're telling someone that he's not capable enough to see his mistake.
Everyone is wrong about something. You can choose to deal with it in one of 2 ways:
Admit your deficiency, and perhaps try to fix it.
Deny your deficiency by any means possible.
(Score: 2) by c0lo on Monday June 04 2018, @11:00PM (4 children)
Which may be an absolutely temporary/transient situation.
While telling that person he's wrong without qualification of any kind (e.g. "you may be right in other circumstances, but you are wrong on this one") is a gratuitous insult.
This even letting aside that it may be you to actually be wrong (thus "wrongheaded" by your very definition). It is wise to further qualify your statement with "The way I see the things, ...".
---
Grow up: for the present, I feel you behave like a selfish prick, asking everybody to agree with your understanding of the world and your terminology without any reserves. The world doesn't work this way.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Insightful) by Anonymous Coward on Tuesday June 05 2018, @12:31AM (3 children)
You're just repeating what your parent AC said; your reply is basically what you left out of your quote, making your reply redundant.
You have backwards the responsibility of qualification.
The wise person realizes that it is his own responsibility to insert "In my opinion" in front of every statement that another person makes, because every statement is inherently subjective.
A growing problem in our society is the inversion of this responsibility, which leads to the absurd conclusion that every statement must be associated with a growing list of qualifications and of restrictions in "safe spaces", the limit of which is a breakdown of the ability of 2 people to find their objective reality (where their subjective realities agree) and thus an increasing likelihood of chaos.
(Score: 2) by c0lo on Tuesday June 05 2018, @03:25AM (2 children)
Without the admission of the subjectivity of your position, I'm not going to trust you, especially when you come across in an aggressive fashion.
And that's not only me that is going to react this way, most of this world is.
Your choice if you want to deal with it (by adjusting what you have under your control, that means you) or expect the whole world to change to your taste.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: -1, Troll) by Anonymous Coward on Tuesday June 05 2018, @11:52AM (1 child)
And that makes me care even less for your approval.
(Score: 2) by c0lo on Tuesday June 05 2018, @12:01PM
you weren't for my approval in the first place, so how's that relevant? All you care is to pose superior - just empty vanity.
For the matter, I wasn't after your approval either. Thus, if you want a pissing contest, search another, I'm simply not interested.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Insightful) by Arik on Monday June 04 2018, @11:59PM (9 children)
The browser knows what sort of device is available for presentation. The webserver does not and should not have the faintest clue. So how is it going to layout on an unknown device?
It can't. It's not supposed to.
And why would you want a 'passionate artist' doing print-shop layout? What a horrible idea. The artist will be frustrated and the print will be too often unreadable.
Get a competent technician to do the layout, let the passionate artist go do some passionate art. Somewhere else.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @12:37AM (8 children)
Ergo, the artist should be able to specify exactly what to do on a certain device, so that a browser can say "Hey! I've got that device; now I know exactly what to do without having to guess!"
As others have mentioned, rather than having the artist just a dump a bunch of specifications along with content, it would be better if the web protocol included an explicit negotiation about presentation.
Do you get it yet?
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @12:52AM (7 children)
But it becomes a combinatorial mess to test designs on every browser and device brand/version/size combo. Even if you know the screen size, font size is often determined by a myriad other factors so testing on just screen size is not sufficient. Telling all designers they should become UI rocket scientists merely to make a pretty screen is crazy. Web UI "standards" (cough) are focked up, please, invent something new, I'll donate $500 if it catches on.
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @01:17AM (6 children)
Let me introduce you to a powerful concept: Abstraction.
It doesn't matter whether you own an iPhone, an iMac, a Windows netbook, or a Google Pixel smartphone. Each is capable of rendering a page to an abstract device with a given, standard set up of dimensions, capabilities, etc. Why isn't there simply a set of such standards? Then, device makers would feel compelled to make their devices capable of exactly implementing at least one of those standards, and content artists would feel compelled to work within the constraints of those standards.
I don't think it's too much to ask for browsers and content artists to work with some basic set of standards for "Paper", "watch", "smart phone", "tablet", "desktop", "TV", "movie screen", and "billboard". Of course, if you don't want such constraints, you would be free to throw yourself to the mercy of the machines, like we do right now.
Right now, nobody feels compelled to do anything, because nothing works in theory, only in practice: You have to design by experiment rather than from first principles.
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @02:23AM
But the current standards not capable of rendering the abstractions perfectly: we can only get half-ass abstractions which look like abstract art when they break. If you claim it can be done, show me and I'll find a device that "breaks" it, in part because no browser is a perfect implementation.
I say make the browser a dumb/simple coordinate vector processor and let the abstraction processing happen on the server so that you only have to test/debug one rendering/layout device instead of 5,000 variations. 1 < 5000.
(Score: 3, Insightful) by choose another one on Tuesday June 05 2018, @12:27PM (4 children)
Abstraction either fails in the face of fast moving technology, or it constrains and limits progress. Abstractions also always leak, always.
The range of devices available _now_ is impossible to accurately enumerate let alone test across, as an instantly noticeable example you missed out "screen reader" from your "basic set of standards". Resolution is also not the only critical display property - you need to consider at least colour depth and refresh rate (e.g. monochrome e-ink) in addition. You are also only considering display - if you are building any kind of user interface (as almost every web page these days is) then you need to consider input devices, and every input/display combination, and so on. All that is before you consider devices that don't exist yet. There was a huge part of the web that simply didn't work when touch devices came in - all because designers chose to bend/abuse/subvert the input capabilities of browsers to do fancy things and just assumed that the user would have a keyboard and/or mouse. Yet the oldest pages on the internet, from the 90's, worked just fine.
How about this abstraction: Content is separate from Style, style is advisory and may be overridden by device/browser or end-user depending on their capabilities, but the browser will do its damndest to get your content in front of the user, and if that isn't acceptable to you then render to an image and send that (but always allow that it may have to be scaled and/or colour-reduced) ?
Of course that was what we almost had in the 90's, but it didn't fly once the "designers" got involved and we had to break it all in an attempt to create pixel-perfect "user experiences".
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @01:08PM (1 child)
Either there is an abstraction to target, or it's a free-for-all.
There's no magic that will solve this.
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @04:58PM
There is a solution: move the abstract formatting to the server and make the client a dumb coordinate vector plotter. Then you can fix or change "abstraction" without worrying about the myriad "mutated" client engines that I described earlier. You then have far far fewer formatting/rendering engine combinations to test and worry about because your server ain't going anywhere unless you want it to. YOU then control the abstraction (or skip one), not Google, not Microsoft, not Larry Ellison, not professors who lack practical experience.
(Score: 2) by Arik on Wednesday June 06 2018, @03:15AM (1 child)
By which of course they mean an imaginative and impractical UI. "Designers" are a plague, and should not be allowed anywhere near a computer.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Wednesday June 06 2018, @04:36PM
But PHB's want eye-candy and so get eye-candy, one way or another.