SitePoint Sponsor

User Tag List

Page 3 of 3 FirstFirst 123
Results 51 to 65 of 65
  1. #51
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,276
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    That sounds interesting. What steps has Ruby been taking client-side? Do you have a link or something where I could read up on that?
    Not off the top of my head, but I can probably find it again.

    The Java stuff was the intro by Sun for a downloadable (so a sort of plugin) JVM using Swing. The Ruby stuff, that might have been "Red" (which is JS written as Ruby) or any of the Iron-* stuff (so Python too). Right now, they're using Silverlight as a crutch. Question is, how long will it stay like that?
    So I found this: http://www.rubyinside.com/ironruby-s...wser-3192.html
    ...however it's newer link than whatever I first read of the idea of Ruby moving into the client-side. Wherever that was, there were comments in that article mentioning Perl and Python doing the same.

  2. #52
    Grüße aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Wow, great link.
    Thanks for that. Very interesting.

  3. #53
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,799
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Pullo View Post
    Hmm, don't know what to reply to that.
    I should've expected that kind of reply though.
    The difference between JavaScript and most other languages is that with other languages you don't need any interaction from the owner of the computer. Once you allow the bad code to run it does what it wants without any further intervention required. The worst that can be done with JavaScript is no worse than can be done with just HTML and still requires further action by the browser owner.

    Anyone who decided to implement that "Tabnapping" phishing attempt would also probably include a meta redirect as a fallback so as to catch out a lot of those who think disabling javaScript will keep them safe.

    It would be far easier and work far better cross browser if the JavaScript used a redirect to a separate page rather than trying to rebuild the phishing page inside the same page anyway as that would resolve the favicon problems and get it to work even on older browsers.

    Just as a further point - the script can't work if a person doesn't visit the page it is on in the first place. So you'd need some form of phishing attack to get them to that page in the first place. You'd need to find a way to get the JavaScript to run on other people's sites (without their knowledge) in order to be able to actually achieve anything by doing it and JavaScript doesn't work that way.

    So this is way overhyped for what it actually means.
    Last edited by felgall; May 27, 2010 at 14:46.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #54
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,276
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Anyone who decided to implement that "Tabnapping" phishing attempt would also probably include a meta redirect as a fallback so as to catch out a lot of those who think disabling javaScript will keep them safe.
    You can turn meta redirects off. I've seen plugins for this, but I thought there was also a setting alone you could use. The plugin was to stop TinyURLs or let you see the real domain before clicking on a TinyURL.

    Just as a further point - the script can't work if a person doesn't visit the page it is on in the first place. So you'd need some form of phishing attack to get them to that page in the first place. You'd need to find a way to get the JavaScript to run on other people's sites (without their knowledge) in order to be able to actually achieve anything by doing it and JavaScript doesn't work that way.
    True. This happened to one of our sites, so Google blocked it with a warning. Someone at the hosting company had let some summer student get a password, and they or someone they gave it to got in, added this little PHP script, which itself added Javascript to our pages, which tried to do any of several malicious things (I don't think they were very well written though). Some Philipino l33t h4x0rz with a japanese address for some reason.

    What this tells me is, I'd better either keep JS off or use NoScript (I do both between all my Linux browsers) because even the sites I trust, I can't trust.

  5. #55
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,799
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Someone at the hosting company had let some summer student get a password, and they or someone they gave it to got in, added this little PHP script, which itself added Javascript to our pages, which tried to do any of several malicious things (I don't think they were very well written though).
    What they can do with the PHP can be far mor malicious than anything that can be done with JavaScript. That the PHP was used to add JavaScript rather than to do the damage itself meant that it was relatively harmless. PHP has access to do all sorts of things that JavaScript can't do.

    The one situation where this sort of phishing attempt really would be effective would be if they were to insert a server side redirect to the fake site into the real site. Better keep clear of PHP, .NET etc just in case someone does just that.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #56
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,276
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    PHP has access to do all sorts of things that JavaScript can't do.
    Indeed, and yes they had PHP Doing Stuff as well. I couldn't tell what they were trying to do with the JS, but overall it wasn't so well done.

    In any case, no, I don't think any of us believes NoScript or anything similar can protect against anything coming at us server-side. What I like about NoScript is it blocks objects until I say otherwise, it detects clickjacking, it blocks scripts per domain and I can allow scripts per domain. I believe this functionality should be built into all browsers instead of just JS on/off.

    BTW Stephen, what do you think about FF4 having "session management" as mentioned in the article and comments of Pullo's link? Might be the brick that makes me stop using FF for all but site testing.

  7. #57
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,061
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    BTW Stephen, what do you think about FF4 having "session management" as mentioned in the article and comments of Pullo's link? Might be the brick that makes me stop using FF for all but site testing.
    Stomme, do you mean the Account Manager?
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  8. #58
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,276
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Scallio: yeah. I may be misunderstanding what it all does, but it seems any site that has the extra headers and the JSON file means my browser (if I had a browser that did this) would log me in whenever I visited that domain.

    Is that a good idea?

  9. #59
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,061
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Scallio: yeah. I may be misunderstanding what it all does, but it seems any site that has the extra headers and the JSON file means my browser (if I had a browser that did this) would log me in whenever I visited that domain.

    Is that a good idea?
    No, it's an extremely bad idea. But, if you don't supply the manager with credentials it won't be able to log you in, now would it?
    And I guess it's possible to disable this "functionality".
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  10. #60
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,276
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    And I guess it's possible to disable this "functionality".
    Hm, there's quite a few "features" of my browser I'd like to disable, but like 99% of browser users, I'm allergic to crawling through the about:config areas.

    I've actually been holding off an upgrade to 3.6 for a list of several things... one of which being the removal of the Properties item in the context menu. Guess what you have to do to regain the same functionality that all other browsers provide? Yes, you must download a plugin : ) And the tabs open in the wrong order. Yikes!
    I'll see how long I can stay with 3.5.x, but I was also thinking of upgrading to Lucid Lynx at some point... which, after installing all the updates, would likely include FF 3.6+ : (

  11. #61
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    5,014
    Mentioned
    103 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Hm, there's quite a few "features" of my browser I'd like to disable, but like 99% of browser users, I'm allergic to crawling through the about:config areas.

    I've actually been holding off an upgrade to 3.6 for a list of several things... one of which being the removal of the Properties item in the context menu. Guess what you have to do to regain the same functionality that all other browsers provide? Yes, you must download a plugin : ) And the tabs open in the wrong order. Yikes!
    I'll see how long I can stay with 3.5.x, but I was also thinking of upgrading to Lucid Lynx at some point... which, after installing all the updates, would likely include FF 3.6+ : (
    Stomme poes, when you mention about tabs opening in the wrong order, are you refering to a new tab opening right next to the tab that opened it?

    If so, that is the "browser.tabs.insertRelatedAfterCurrent" value which you could set for false.
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  12. #62
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,276
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    If so, that is the "browser.tabs.insertRelatedAfterCurrent" value which you could set for false.
    It's so much easier to just not upgrade. Almost a year ago, Mozilla asked "why don't people update?" Most of the answers were "we don't like having to spend time turning all the features off so that we have the same functionality we had in the old one." Which is actually a very Bad Thing, because old browsers are insecure browsers.

  13. #63
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,799
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Most of the good extensions for Firefox are copies of features that are built directly into Opera (for example noscript).
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  14. #64
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,061
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    It's so much easier to just not upgrade. Almost a year ago, Mozilla asked "why don't people update?" Most of the answers were "we don't like having to spend time turning all the features off so that we have the same functionality we had in the old one." Which is actually a very Bad Thing, because old browsers are insecure browsers.
    Wonder if MS ever asked that question ...
    And what the response was ...
    (besides "my intranet/custom app" won't run on anything else)
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  15. #65
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by felgall View Post
    What they can do with the PHP can be far mor malicious than anything that can be done with JavaScript.
    I mostly agree with you Stephen but with the likes of JavaScript there is the danger of key-logging where people could actively snatch people's details if they didn't know what their doing, but I guess that's no different to a phishing scam website which pretends to be something it isn't.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •