On Sep 4, 2014 5:04 PM, "Dave Watts" wrote:
> This is exactly how user scripts work. They are installed by the user
> in some fashion, and can control browser functionality. This is how
> online password managers work, how Greasemonkey works, etc, etc, etc.
> If a user installs malware, of course
>>If you do find a way to detect all scripts running on a page I would be very
interested in seeing how it works. At least you could then inform the user
that there are unwanted processes running in the browser.
I'm working on that, may be not for all visitors, but at least for
administrators
> I can understand that a plugin can run a script when a page is loaded, but it
> is absolutely stupid this script can be part
> of the page and have all privileges granted to the user after a legitimate
> authentication. The script could run by itself, but
> have no access to the DOM and not be
>> is absolutely stupid this script can be part of the page and have all
privileges
>> granted to the user after a legitimate authentication.
Not when you consider that the script was added to YOUR page even before the
browser renders it. Think of it like a proxy in that the proxy added the
(un
Yeah... I'd do it myself if I could get good wireless :D
-Original Message-
From: Claude Schnéegans
[mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans >close up shop and move to a cabin in Montana
That's the best suggestion I got on that matter ;-)
~~
>>There's nothing magically sacrosanct in HTTP or HTML to prevent
this sort of thing.
You're right, but as a developper, I have to modify my code every day, because
every day comes up a new version in which something has been cancelled or
disabled, like accessing the clipboard by Javascript, o
>>close up shop and move to a cabin in Montana
That's the best suggestion I got on that matter ;-)
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
> >>so it becomes a part of the client side page request
> "against your will" as it were.
>
> Yes, but this rises a question:
> If my window.onerror can get events from some plugin code, this means that
> this code is embeded and is treated as if it belonged to my window.
> Thus, it has access
Claude,
There is literally nothing (not a single thing) that is "off limits" on the
client side. You cannot trust or believe the browser is in any way shape or
form a secure environment and you must assume that things like cookies can
and will be hacked and experimented with. This is why it is im
>>They don't call it Malware for nothing
Ok, but if a malware does "mal" to a moron client side, in a pinch, this is not
our problem, but if it can get pass words so easily, it can also do mal to any
server any time.
I just got one tonite that allows itself to define cookies under MY domain!
I
They don't call it Malware for nothing :-)
On Wed, Sep 3, 2014 at 8:11 PM, <> wrote:
>
> >>so it becomes a part of the client side page request
> "against your will" as it were.
>
> Yes, but this rises a question:
> If my window.onerror can get events from some plugin code, this means that
> t
>>so it becomes a part of the client side page request
"against your will" as it were.
Yes, but this rises a question:
If my window.onerror can get events from some plugin code, this means that this
code is embeded and is treated as if it belonged to my window.
Thus, it has access to everything
>>"against your will" as it were.
Indeed, so I'm considering adding some tests in my "bad bot" detector based on
some strings seen in javascript errors.
May be also there is a way to get the list of all scripts in a page, I'll dig
into that.
>>I think your idea is excellent though - a way to
Claude,
I think that perfectnavigator is a adware (some would say malware) that runs
on browser execution - so it becomes a part of the client side page request
"against your will" as it were.
I think your idea is excellent though - a way to trap client side errors and
tease them out and correct
> How come this code at in2.perfectnavigator.com (which is not on my server)
> can be executed from one
> of my pages, or at least the error event reported to one of my pages ?
Users can choose to run their own scripts, or install plugins that run
scripts for them. This is pretty common. The in2
This is not really CF related, but since this list is mainly read by Web
developers, I thought it could be interesting anyway.
First, let me say that my system logs CF executions error in a database with
many details that help a lot to clean my code.
However it does not trap Javascript errors
16 matches
Mail list logo