Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Sea of broken images (Score 1) 275

I've found failures due to 3rd-party blocking to be (A) fairly rare [...] usually when I block, I simply don't see the image. Or I just see the little "broken image" symbol in my browser.

If you apply same-origin policy to images in HTML documents by default, then I fail to understand how it would be "fairly rare" for you to encounter a page that's a sea of broken images. For example, Wikipedia (upload.wikimedia.org), Wikia (nocookie.net), Google (gstatic.com), Yahoo! (yimg.com), and eBay (ebaystatic.com) all routinely host images on a separate domain from the HTML document, often to prevent repetition of the user's session cookie in the HTTP headers for each image request.

Comment Re:Non-poor way to design a mash-up (Score 1) 275

You'll have to be more specific about the implementation of the RSS reader.

JavaScript retrieves the RSS or Atom feed from multiple sites that support CORS, parses it, and displays it. This way nothing gets necessarily leaked to the operator of the server on which the reader is hosted, neither the content of the feeds nor the password needed to retrieve each feed. Nor can web servers hosting feeds block the IP address of the server on which the reader is hosted for alleged excessive use.

The difference is that there is no "sandboxing of local applications" at all on the most popular desktop platforms.

I didn't say anything about desktop platforms

Then I appear to have applied a definition of "local applications" with which you disagree, which fulfills Layne's Law of Debate. Please define "local applications" before the discussion can continue.

try again.

Please explain what you mean by this catchphrase.

Comment Re:Non-poor way to design a mash-up (Score 1) 275

which is why the decision to allow this sort of behavior should be up to the user.

Should an RSS reader with 12 feeds present 12 alerts? If not, what user interface do you recommend to make "the decision to allow this sort of behavior [to] be up to the user"?

Secondly that doesn't explain why the security methodology should be any different to sandboxing of local applications

The difference is that there is no "sandboxing of local applications" at all on the most popular desktop platforms.

Comment Re:Non-poor way to design a mash-up (Score 1) 275

executable code resources

"Executable"? I thought we were talking about CORS, which is intended for things like XML documents, JSON objects, and fonts, none of which are "executable". (Technically, TrueType fonts have interpreted hints, but that's an even more limited sandbox than any JavaScript environment, and renderers have the option to autohint outlines instead.)

Could you explain [...] why you believe the security methodology should be any different to sandboxing of any other local applications?

If a web site has opted into CORS, it has opted into allowing other sites to include its (non-executable) resources into their sandboxes.

Comment Re:Cancel or Allow (Score 1) 275

All "blocking external domains" does is cause web applications to show an error message: "The application could not start because either your web browser does not support cross-origin resource sharing or you have blocked external domains. To begin using this application, please upgrade to a web browser that supports cross-origin resource sharing or unblock external domains for this site." I will continue this discussion in replies to your other comment.

Comment Re: What the hell is the point of this anyway? (Score 1) 275

The APIs of IE 10, Firefox (unknown version), Chrome (unknown version), and Safari (unknown version) are far more similar than those of Windows, GNU/Linux, Mac OS X iOS, Android, and Windows Phone, and there's no $99 per platform per year certificate fee to sign your code either. In fact, the API of Chrome is identical to the native API of Chrome OS. You can circumvent misconfigured proxies by using HTTPS, something you should be doing anyway to protect users' credentials from Firesheep, provided that users don't have the root certificate of a corporate SSL MITM installed.

Comment Cancel or Allow (Score 1) 275

This should be directly controllable by the end user

A single web page may already include components from a dozen origins, such as an <img> element whose src= attribute references an image from a CDN. How would you design a user interface to give the end user the power to cancel or allow every request made to a different origin without having it become as annoying as the Windows Vista behavior that made "Cancel or Allow" into a punchline?

Slashdot Top Deals

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...