Results 1 to 3 of 3
  1. #1
    Lounger
    Join Date
    Dec 2009
    Location
    Pacific NorthWest
    Posts
    26
    Thanks
    0
    Thanked 0 Times in 0 Posts
    These observations may seem a little off-topic, but the core is about how to maintain browser security, when information providers use other (cross-site) providers, with no online acknowledgment that they are doing so. As an example, the online.wsj.com website seems to be changing some of the other providers that they use. When IE8 is locked down according to decent security practices, the result may be that some features of online.wsj silently fail to work. Under FF w/ NoScript, one can more easily detect what WSJ has gotten up to, and take corrective action.

    From a different angle, when features stop working, it is sometimes not clear whether the action was intended by the information provider, or accidental. This morning, online.wsj.com started blocking new comments from one subscriber. Even the most innocuous sentences seemed to be blocked as "Does not meet Community Standards". Whatever the issue was, it cleared up after an hour or so. How is a user to know whether they have violated some standard, or run afoul of the shifting (quick)sands of technology?

  2. #2
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by Nano Geek View Post
    These observations may seem a little off-topic, but the core is about how to maintain browser security, when information providers use other (cross-site) providers, with no online acknowledgment that they are doing so. As an example, the online.wsj.com website seems to be changing some of the other providers that they use. When IE8 is locked down according to decent security practices, the result may be that some features of online.wsj silently fail to work. Under FF w/ NoScript, one can more easily detect what WSJ has gotten up to, and take corrective action.

    From a different angle, when features stop working, it is sometimes not clear whether the action was intended by the information provider, or accidental. This morning, online.wsj.com started blocking new comments from one subscriber. Even the most innocuous sentences seemed to be blocked as "Does not meet Community Standards". Whatever the issue was, it cleared up after an hour or so. How is a user to know whether they have violated some standard, or run afoul of the shifting (quick)sands of technology?
    If you are running NoScript, any site which doesn't like the add-on will probably flash you a message saying so, or redirect you to a "oops!" page. The message will say that you need to enable Javascript to continue. If the problem is server-side, try back in an hour or two, or at most a day or two. Most rules violations result in an e-mail notice within a day or two. If you are running Firefox with NoScript, you are doing things the right way, IMHO. But WSJ does not like NoScript, as it can be used to block ads, and Rupert Murdoch (owner of WSJ) really hates it when users block his ads.

    And the issue of user safety vs. web site usability is definitely not off-topic here in The Lounge! Several of us are struggling with sites which are taking countermeasures against users of AdBlock Plus and NoScript. Unfortunately, there are no clear-cut answers here. Sites need to make money, and they make money by displaying ads. But hackers send out malicious ads and scripts, so it is not safe to always let ads display. Something needs to be done to resolve this issue -- but what?
    -- Bob Primak --

  3. #3
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    What makes this even more complex is when there is legitimate cross-site scripting on a site. This is becoming more common as companies merge and various sites align themselves with other sites that compliment one another. One example of this is my health insurance company recently merged their prescription company with another. All traffic related to prescriptions now goes to the new company, while pulling over your authentication from the insurance company's web site. Yes, I can add exceptions to No-Script, when its something obvious like this. But I've run into quite a few situations where its not obvious. What to block and not to block...
    Chuck

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •