Thanks for the clarifications, Frank. I can appreciate how, if one had the concerns you raise, they'd benefit from a solution like that. Again, thanks for sharing it.
/charlie From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Frank Moorman Sent: Monday, January 03, 2011 8:00 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CMS Preferences Charlie, As for autoplay and XSS attacks... Usually autoplay is through javascript on the same domain. When you whitelist a domain, autoplay will usually start again. The way noscript's whitelist works is based on the source domain of the script, not the website domain. This allows a sites custom js to work, but it will stop other sites like intellitxt or ad-tracking sites. This will stop XSS listed on a different host, but it will not help you if the entire server is compromised and malicious js is on the same server. This can cause a problem if a site uses third party javascript framework and does not host a copy of the framework locally. But this generally is not a good idea and most sites don't do this anyway. If they do, noscript does have an option to "allow all scripts on this page." In addition, noscript has a setting to temporary allow a domain which will let you "test" settings until the end of your browser setting. Generally, I got started with noscript for two reasons... 1) I believe in a site getting revenue through ads, so I do not use adblock, but I do not want my movement across the web tracked. 2) I occasionally have to deal with certain hotel wifi systems that used javascript to inject advertising iframes. Needless to say, I am not happy (or trusting) when this happens. ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
