I don't think "annoying" is quite the right word to summarize this blog post. Sure, ads are often annoying, but the point she was trying to make is that this pattern is somewhat harmful.
It isn't. But what do you replace it with? Better solutions are likely to only cover a fraction of use cases, so they really need to be stellar to win over users.
Separate. The common thing is to use uglifyjs for that.
Bobby tables would be considered data. Or should be. And hopefully it would be obvious that it doesn't belong in the code section. But like you I'm not totally convinced. I think this idea would make it easier for…
True, assuming that programmers don't compute code (HTML,SQL, etc) from user input and miscompute the length of a fragment. It would be interesting to see if this idea could work in practice.
In practice I bet a large portion of people set up their phones at cell phone stores. Do you really trust at&t/T-Mobile/sprint/etc to have properly secured WiFi? My bet is they don't.
Definitely this only applies to government (esp law enforcement) requests. Re: does it just protect US citizens or everyone's emails: dunno. That's a great question. My guess is that it's aimed at US citizens but I…
Yes. It's a problem with ms Edge's handling of custom URL schemes, which are registered via the Windows registry
If you see this happen, please write in to our support team; we take data integrity issues very seriously. Also I should probably mention that we keep 1 month of version history for free users and even more history for…
Yes but at the time, there was only evidence of password reuse leading to some comprised email lists... Not that password hashes themselves had been stolen. Sigh.
This. And even if the browser does block the request, the js probably sees that as an error code 0 (standard for cors) at which point it can use the performance timing apis. Side channels are tough.
CSP isn't relevant. I suspect you want to talk about cors or origin headers or similar things, in which case you are missing that there's no need for a csrf vulnerability here - any GET with reflected data could do.
I would love to try something like this. My use case: I work at a company with a lot of engineers working on our website. Most of our important pages have lots of code from different teams loaded on them - arguably, far…
Re moving the negation: it could be faster if x is available a few cycles before y in a superscalar architecture as you could save a cycle by negating x while in parallel computing y.
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference…
I've been trying to work with this library. So far my conclusion is that it's heavily under-documented and the examples are almost too simple. I'm having lots of trouble understanding errors.
I think it comes down to scale. If you are running your application on 5 or 10 or maybe even 100 servers, buying a few more to handle the inefficiency makes some sense. But if you code needs to go on 1000s of servers or…
Mitm is often pretty easy, e.g. just arp spoof someone on the same network as you. Though if your target is on a different network, maybe not so simple. There's definitely a point where it probably makes more sense to…
I don't think "annoying" is quite the right word to summarize this blog post. Sure, ads are often annoying, but the point she was trying to make is that this pattern is somewhat harmful.
It isn't. But what do you replace it with? Better solutions are likely to only cover a fraction of use cases, so they really need to be stellar to win over users.
Separate. The common thing is to use uglifyjs for that.
Bobby tables would be considered data. Or should be. And hopefully it would be obvious that it doesn't belong in the code section. But like you I'm not totally convinced. I think this idea would make it easier for…
True, assuming that programmers don't compute code (HTML,SQL, etc) from user input and miscompute the length of a fragment. It would be interesting to see if this idea could work in practice.
In practice I bet a large portion of people set up their phones at cell phone stores. Do you really trust at&t/T-Mobile/sprint/etc to have properly secured WiFi? My bet is they don't.
Definitely this only applies to government (esp law enforcement) requests. Re: does it just protect US citizens or everyone's emails: dunno. That's a great question. My guess is that it's aimed at US citizens but I…
Yes. It's a problem with ms Edge's handling of custom URL schemes, which are registered via the Windows registry
If you see this happen, please write in to our support team; we take data integrity issues very seriously. Also I should probably mention that we keep 1 month of version history for free users and even more history for…
Yes but at the time, there was only evidence of password reuse leading to some comprised email lists... Not that password hashes themselves had been stolen. Sigh.
This. And even if the browser does block the request, the js probably sees that as an error code 0 (standard for cors) at which point it can use the performance timing apis. Side channels are tough.
CSP isn't relevant. I suspect you want to talk about cors or origin headers or similar things, in which case you are missing that there's no need for a csrf vulnerability here - any GET with reflected data could do.
I would love to try something like this. My use case: I work at a company with a lot of engineers working on our website. Most of our important pages have lots of code from different teams loaded on them - arguably, far…
Re moving the negation: it could be faster if x is available a few cycles before y in a superscalar architecture as you could save a cycle by negating x while in parallel computing y.
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference…
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference…
I've been trying to work with this library. So far my conclusion is that it's heavily under-documented and the examples are almost too simple. I'm having lots of trouble understanding errors.
I think it comes down to scale. If you are running your application on 5 or 10 or maybe even 100 servers, buying a few more to handle the inefficiency makes some sense. But if you code needs to go on 1000s of servers or…
Mitm is often pretty easy, e.g. just arp spoof someone on the same network as you. Though if your target is on a different network, maybe not so simple. There's definitely a point where it probably makes more sense to…