On Sep 4, 2014 5:04 PM, Dave Watts wrote:
This is exactly how user scripts work. They are installed by the user
in some fashion, and can control browser functionality. This is how
online password managers work, how Greasemonkey works, etc, etc, etc.
If a user installs malware, of course that
-
From: Claude Schnéegans schneeg...@internetique.com
[mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?=
=?ISO-8859-1?Q?ue.com=3E?=]
Sent: Wednesday, September 03, 2014 10:29 PM
To: cf-talk
Subject: Re: OT, but stil...
They don't call it Malware for nothing
Ok, but if a malware
so it becomes a part of the client side page request
against your will as it were.
Yes, but this rises a question:
If my window.onerror can get events from some plugin code, this means that
this code is embeded and is treated as if it belonged to my window.
Thus, it has access to
close up shop and move to a cabin in Montana
That's the best suggestion I got on that matter ;-)
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
There's nothing magically sacrosanct in HTTP or HTML to prevent
this sort of thing.
You're right, but as a developper, I have to modify my code every day, because
every day comes up a new version in which something has been cancelled or
disabled, like accessing the clipboard by Javascript, or
Subject: Re: OT, but stil...
close up shop and move to a cabin in Montana
That's the best suggestion I got on that matter ;-)
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp
is absolutely stupid this script can be part of the page and have all
privileges
granted to the user after a legitimate authentication.
Not when you consider that the script was added to YOUR page even before the
browser renders it. Think of it like a proxy in that the proxy added the
I can understand that a plugin can run a script when a page is loaded, but it
is absolutely stupid this script can be part
of the page and have all privileges granted to the user after a legitimate
authentication. The script could run by itself, but
have no access to the DOM and not be
If you do find a way to detect all scripts running on a page I would be very
interested in seeing how it works. At least you could then inform the user
that there are unwanted processes running in the browser.
I'm working on that, may be not for all visitors, but at least for
administrators
them. Nicely done.
-Mark
-Original Message-
From: Claude Schnéegans schneeg...@internetique.com
[mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?=
=?ISO-8859-1?Q?ue.com=3E?=]
Sent: Tuesday, September 02, 2014 9:27 PM
To: cf-talk
Subject: OT, but stil
against your will as it were.
Indeed, so I'm considering adding some tests in my bad bot detector based on
some strings seen in javascript errors.
May be also there is a way to get the list of all scripts in a page, I'll dig
into that.
I think your idea is excellent though - a way to trap
so it becomes a part of the client side page request
against your will as it were.
Yes, but this rises a question:
If my window.onerror can get events from some plugin code, this means that this
code is embeded and is treated as if it belonged to my window.
Thus, it has access to everything in
They don't call it Malware for nothing :-)
On Wed, Sep 3, 2014 at 8:11 PM, wrote:
so it becomes a part of the client side page request
against your will as it were.
Yes, but this rises a question:
If my window.onerror can get events from some plugin code, this means that
this code is
They don't call it Malware for nothing
Ok, but if a malware does mal to a moron client side, in a pinch, this is not
our problem, but if it can get pass words so easily, it can also do mal to any
server any time.
I just got one tonite that allows itself to define cookies under MY domain!
If
This is not really CF related, but since this list is mainly read by Web
developers, I thought it could be interesting anyway.
First, let me say that my system logs CF executions error in a database with
many details that help a lot to clean my code.
However it does not trap Javascript errors
How come this code at in2.perfectnavigator.com (which is not on my server)
can be executed from one
of my pages, or at least the error event reported to one of my pages ?
Users can choose to run their own scripts, or install plugins that run
scripts for them. This is pretty common. The
16 matches
Mail list logo