SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow3941
Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.
Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy.
The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.
The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard.
The mix-blend-mode feature allows web developers to stack web components on top of each other and add effects for controlling to[sic] the way they interact. As the feature's name hints, these effects are inspired by the blend modes found in photo editing software like Photoshop, Gimp, Paint.net, and others. Example blend modes are Overlay, Darken, Lighten, Color Dodge, Multiply, Inverse, and others.
The CSS3 mix-blend-mode feature supports 16 blend modes and is fully supported in Chrome (since v49) and Firefox (since v59), and partially supported in Safari (since v11 on macOs and v10.3 on iOS).
(Score: 4, Insightful) by Arik on Monday June 04 2018, @11:59PM (9 children)
The browser knows what sort of device is available for presentation. The webserver does not and should not have the faintest clue. So how is it going to layout on an unknown device?
It can't. It's not supposed to.
And why would you want a 'passionate artist' doing print-shop layout? What a horrible idea. The artist will be frustrated and the print will be too often unreadable.
Get a competent technician to do the layout, let the passionate artist go do some passionate art. Somewhere else.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @12:37AM (8 children)
Ergo, the artist should be able to specify exactly what to do on a certain device, so that a browser can say "Hey! I've got that device; now I know exactly what to do without having to guess!"
As others have mentioned, rather than having the artist just a dump a bunch of specifications along with content, it would be better if the web protocol included an explicit negotiation about presentation.
Do you get it yet?
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @12:52AM (7 children)
But it becomes a combinatorial mess to test designs on every browser and device brand/version/size combo. Even if you know the screen size, font size is often determined by a myriad other factors so testing on just screen size is not sufficient. Telling all designers they should become UI rocket scientists merely to make a pretty screen is crazy. Web UI "standards" (cough) are focked up, please, invent something new, I'll donate $500 if it catches on.
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @01:17AM (6 children)
Let me introduce you to a powerful concept: Abstraction.
It doesn't matter whether you own an iPhone, an iMac, a Windows netbook, or a Google Pixel smartphone. Each is capable of rendering a page to an abstract device with a given, standard set up of dimensions, capabilities, etc. Why isn't there simply a set of such standards? Then, device makers would feel compelled to make their devices capable of exactly implementing at least one of those standards, and content artists would feel compelled to work within the constraints of those standards.
I don't think it's too much to ask for browsers and content artists to work with some basic set of standards for "Paper", "watch", "smart phone", "tablet", "desktop", "TV", "movie screen", and "billboard". Of course, if you don't want such constraints, you would be free to throw yourself to the mercy of the machines, like we do right now.
Right now, nobody feels compelled to do anything, because nothing works in theory, only in practice: You have to design by experiment rather than from first principles.
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @02:23AM
But the current standards not capable of rendering the abstractions perfectly: we can only get half-ass abstractions which look like abstract art when they break. If you claim it can be done, show me and I'll find a device that "breaks" it, in part because no browser is a perfect implementation.
I say make the browser a dumb/simple coordinate vector processor and let the abstraction processing happen on the server so that you only have to test/debug one rendering/layout device instead of 5,000 variations. 1 < 5000.
(Score: 3, Insightful) by choose another one on Tuesday June 05 2018, @12:27PM (4 children)
Abstraction either fails in the face of fast moving technology, or it constrains and limits progress. Abstractions also always leak, always.
The range of devices available _now_ is impossible to accurately enumerate let alone test across, as an instantly noticeable example you missed out "screen reader" from your "basic set of standards". Resolution is also not the only critical display property - you need to consider at least colour depth and refresh rate (e.g. monochrome e-ink) in addition. You are also only considering display - if you are building any kind of user interface (as almost every web page these days is) then you need to consider input devices, and every input/display combination, and so on. All that is before you consider devices that don't exist yet. There was a huge part of the web that simply didn't work when touch devices came in - all because designers chose to bend/abuse/subvert the input capabilities of browsers to do fancy things and just assumed that the user would have a keyboard and/or mouse. Yet the oldest pages on the internet, from the 90's, worked just fine.
How about this abstraction: Content is separate from Style, style is advisory and may be overridden by device/browser or end-user depending on their capabilities, but the browser will do its damndest to get your content in front of the user, and if that isn't acceptable to you then render to an image and send that (but always allow that it may have to be scaled and/or colour-reduced) ?
Of course that was what we almost had in the 90's, but it didn't fly once the "designers" got involved and we had to break it all in an attempt to create pixel-perfect "user experiences".
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @01:08PM (1 child)
Either there is an abstraction to target, or it's a free-for-all.
There's no magic that will solve this.
(Score: 0) by Anonymous Coward on Tuesday June 05 2018, @04:58PM
There is a solution: move the abstract formatting to the server and make the client a dumb coordinate vector plotter. Then you can fix or change "abstraction" without worrying about the myriad "mutated" client engines that I described earlier. You then have far far fewer formatting/rendering engine combinations to test and worry about because your server ain't going anywhere unless you want it to. YOU then control the abstraction (or skip one), not Google, not Microsoft, not Larry Ellison, not professors who lack practical experience.
(Score: 2) by Arik on Wednesday June 06 2018, @03:15AM (1 child)
By which of course they mean an imaginative and impractical UI. "Designers" are a plague, and should not be allowed anywhere near a computer.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Wednesday June 06 2018, @04:36PM
But PHB's want eye-candy and so get eye-candy, one way or another.