emmmmmmmmmmm
So if I just delete all my contacts from address book, they cant steal them, hell yeah that'l work.
If you use Google to send email, organize photos or help administer your website, doomwatchers have cataloged three new ways to steal your data and compromise the security of your users. All three of the techniques rely on cross site scripting, or XSS, in which hackers inject unauthorized code by making it appear as if it's …
XSS and Javascript: Or why you shouldn't just let arbitrary code run on your machine.
Just switch it off and let sites that demand javascript be enabled know why you aren't shopping there anymore. Ditto Flash. Or if that's a hassle, have a separate browser for these sites and set it to delete all cookies on exit, and only visit one site at a time. I keep Mozilla for this purpose. Konqueror with js off and no plugins for general browsing.
Of course, XSS, can be prevented if the sites in question are ruthless with input filtering and html quoting. If. Having some js to do frame breakout will make iframe injection attacks pretty obvious. Ahh, frames. Don't you wish you could go back in time and give that smartarse at Netscape a good kicking. It would have been nice for a site to inform the browser than js should be disabled for this page regardless of any other setting or outer frames. But it's way too late for that.
CSRF is a trickier beast. It's your site (which naturally is perfect) being attacked by a badguy or compromised site. As the request comes from a legitimate user of your site, or technically from their browser, discriminating a genuine request from a bad one is a knotty problem. A solution being to ask for their password to confirm serious actions.
Or, ironically, have some js detection code to say "This site best viewed with JS off."
The joys of unintended consequences...
someone to notice this I generally avoid js I am allergic to client side code but there things they want to do that require the browsers help so I oblige knowing full well there isn't too much chance it's safe may god have mercy on my watery soul. Still it's good to know I am not alone.
Did you read the article?
"A Google spokesman on Monday afternoon said the flaw had been fixed."
"We plugged both addresses into version 7 of IE and only the latter appeared to work, so it's possible that ICANN has already plugged the hole."
Maybe, just maybe people are fixing the problem before you got your mouth and brain into gear....
well, clearly it is about time to dump javascript because it is so rubbish. it is a dreadful thing that is slow, unreliable and cumbersome. and to make it worse, Sun's JVM is bloated and slows the machine down even further.
i am sure that a few java programmers (they probably also like ridiculous linux) will be offended by this post but to them i say, see you next tuesday.
Ex Pat wrote:
well, clearly it is about time to dump javascript because it is so rubbish. it is a dreadful thing that is slow, unreliable and cumbersome. and to make it worse, Sun's JVM is bloated and slows the machine down even further.
---
Wow.
It's 2007, and people are *still* confusing Javascript with Java. I won't argue that Java *applets* pretty much suck balls, but Java*script* is an entirely different technology. I'd offer an explanation, but I honestly doubt it'd be grasped by those getting it wrong in the first place.
Oh, and Ex Pat: "ridiculous linux"? You mean the platform that powers so many web servers across the world? Including - oh my - The Register itself:
Server: Apache/2.0.54 (Debian GNU/Linux)
You *might* wanna consider a bit of research before shooting off at the mouth. It might just help you look a little *less* dim.
Er, less dim? Java, smava. Who cares if they are different, they still are based on the same crappy foundation and all suck regardless.
Just because linux powers a few web servers does not make it automatically a good product. iTunes unfortunately powers my the syncing of my iPod but it still sucks as a product.
If you spent more time in the real world instead of in dingy server rooms reading Linux User whilst rubbing yourself you might be a bit more aware of real worlds facts, namely that Java, Javascript and linux all suck.
Javascript is an interpred "scheme" like language more properly called "ECMAScript" which has an extremely fast implementation
in most browsers.
It was designed as a "prototype"d language but you can downgrade to an OO
style of programming if you want. (In practice most JS programmers downgrade to a K&R C style of programming).
Java is a C like langauge compiled to a virtual machine language which runs very inefficiently on most browsers.
The only thing they have in common is the use of curly brackets to denote a block of code.
Most people who nock javascript as a language have never done any serious programming in the langauge. It is a very powerful language and the "prototype" pardigm is both elegant and powerful.
Try "http://www.masswerk.at/JavaPac/JS-PacManPlus.htm" to see what can be done in pure JS.