So if I just delete all my contacts from address book, they cant steal them, hell yeah that'l work.
If you use Google to send email, organize photos or help administer your website, doomwatchers have cataloged three new ways to steal your data and compromise the security of your users. All three of the techniques rely on cross site scripting, or XSS, in which hackers inject unauthorized code by making it appear as if it's …
Of course, XSS, can be prevented if the sites in question are ruthless with input filtering and html quoting. If. Having some js to do frame breakout will make iframe injection attacks pretty obvious. Ahh, frames. Don't you wish you could go back in time and give that smartarse at Netscape a good kicking. It would have been nice for a site to inform the browser than js should be disabled for this page regardless of any other setting or outer frames. But it's way too late for that.
CSRF is a trickier beast. It's your site (which naturally is perfect) being attacked by a badguy or compromised site. As the request comes from a legitimate user of your site, or technically from their browser, discriminating a genuine request from a bad one is a knotty problem. A solution being to ask for their password to confirm serious actions.
Or, ironically, have some js detection code to say "This site best viewed with JS off."
The joys of unintended consequences...
someone to notice this I generally avoid js I am allergic to client side code but there things they want to do that require the browsers help so I oblige knowing full well there isn't too much chance it's safe may god have mercy on my watery soul. Still it's good to know I am not alone.
Did you read the article?
"A Google spokesman on Monday afternoon said the flaw had been fixed."
"We plugged both addresses into version 7 of IE and only the latter appeared to work, so it's possible that ICANN has already plugged the hole."
Maybe, just maybe people are fixing the problem before you got your mouth and brain into gear....
i am sure that a few java programmers (they probably also like ridiculous linux) will be offended by this post but to them i say, see you next tuesday.
Ex Pat wrote:
Oh, and Ex Pat: "ridiculous linux"? You mean the platform that powers so many web servers across the world? Including - oh my - The Register itself:
Server: Apache/2.0.54 (Debian GNU/Linux)
You *might* wanna consider a bit of research before shooting off at the mouth. It might just help you look a little *less* dim.
Er, less dim? Java, smava. Who cares if they are different, they still are based on the same crappy foundation and all suck regardless.
Just because linux powers a few web servers does not make it automatically a good product. iTunes unfortunately powers my the syncing of my iPod but it still sucks as a product.
in most browsers.
It was designed as a "prototype"d language but you can downgrade to an OO
style of programming if you want. (In practice most JS programmers downgrade to a K&R C style of programming).
Java is a C like langauge compiled to a virtual machine language which runs very inefficiently on most browsers.
The only thing they have in common is the use of curly brackets to denote a block of code.
Try "http://www.masswerk.at/JavaPac/JS-PacManPlus.htm" to see what can be done in pure JS.
Biting the hand that feeds IT © 1998–2021