flat assembler
Message board for the users of flat assembler.

Index > Heap > do you disable javascript in your browser ?

Goto page Previous  1, 2

do you disable javascript in your browser ?
Yes, for every website
7%
 7%  [ 1 ]
Yes, but allow javascript for trusted sites
28%
 28%  [ 4 ]
No
64%
 64%  [ 9 ]
Total Votes : 14

Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17463
Location: In your JS exploiting you and your system
revolution
I guess I live in a bubble. Sad
Post 31 Aug 2009, 02:16
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
There's really no point in disabling cookies. You'll just break logins in most of the sites on the internet.

If you're worried about tracking, then only allow cookies to be accessed on the site they came from. Problem solved.
Post 31 Aug 2009, 04:11
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
revolution wrote:
drhowarddrfine: disabling cookies is not because of malware, it is because of tracking. Didn't you know?
And cookies can only be used to store information YOU supply. They don't do anything on their own.
Quote:

Also there are a number of websites that do not use either cookies or JS and still manage to have ordering/buying work flawlessly, it can be done without JS or cookies.
Yes, it can, but those sites are doing things the hard way and now you are counting on a site not using those tools available to them.
Quote:

Thirdly your assertion that "The web has always been designed to be scriptable" means nothing. Even if that is true that doesn't mean that it is what we have to do.
It is true and there's no getting around it. It's how things are and how they will continue to be and more so as time goes on. It's difficult, nowadays, to find any web development article that doesn't talk of some method that uses js to add functionality. While some may say a site should first be developed to work without js, and then add it for those who have it js turned on, more ignore that and proceed, requiring its use.

Look at Amazon's web service, S3. It uses REST, which is nothing but plain old HTTP and requires javascript. You can implement REST without javascript but the effort involved isn't worth it and expensive to work around. As far as cookies go, you can't order from Amazon without cookies turned on.
Post 31 Aug 2009, 14:36
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
Anyone who replaces simple href links with javascript should be shot. After first being tortured to death eight (7 just in case they're a cat, plus 1 in case they're a messiah) times.




Just kidding of course; that would be going far too easy.
Post 31 Aug 2009, 14:48
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I did an experiment long time ago to try to catch up a pedophile son of a convoy of five trailers full of bitches. It consisted in changing my avatar in the forum with a php that transmitted the image but also installed a cookie on the visitor. The result was that none of the browsers used by the members of the forum installed the cookie except for Firefox. Does Firefox still accept installing cookies from elements not belonging to the main site domain? (I don't have the resources to conduct this test anymore).

PS: The experiment was done in the hope that some day the pedophile will enter anonymously to the forum without using TOR so as soon as I see the same cookie in a TOR and non-TOR address I could know his real IP.

PS2: And believe me that he deserves no less than ten death penalties for the photo he posted in the forum. It been three or four years already and I can still remember it.
Post 31 Aug 2009, 15:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17463
Location: In your JS exploiting you and your system
revolution
FF has a tick box to accept third party cookies. By default it is on. I think every other browser has a similar default behaviour?

LocoDelAssembly: You have a forum?
Post 31 Aug 2009, 15:45
View user's profile Send private message Visit poster's website Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1159
Azu
FF Chrome and Opera do. Haven't looked at others.
Post 31 Aug 2009, 15:47
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

LocoDelAssembly: You have a forum?

No. I was trying to assist the owner of it with that trick.

The PHP was this:
Code:
<?php
$LOG_SET = array('HTTP_ACCEPT', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_UA_CPU', 'HTTP_REFERER',
                                                                 'HTTP_ACCEPT_ENCODING', 'HTTP_USER_AGENT', 'REMOTE_ADDR');

$VISITOR_COOKIE_NAME = '100WebSpaceId';
$SESSION_COOKIE_NAME = 'surfing_session';

$IMAGE_FILE                                         = 'assembly.jpg';
$LOG_FILE            = 'CloverHunter.txt';
$COOKIE_ID_FILE      = 'id.txt';

$MAX_LOG_SIZE                          = 450*1024;

  error_reporting(0);


  $log = gmdate("Y/m/j H:i:s", time() + 3600*-3) . "\n\n";
  
  foreach ($_SERVER as $key => $value)
    $log = $log . "$key => $value\n";

  $log = $log . "------Headers------\n";

  foreach ($headers as $header => $val)
    $log = $log . "$header => $val";

  $log = $log . "------Cookies------\n";
  
  foreach ($_COOKIE as $key => $value)
    $log = $log . "$key => $value\n";

  $log = $log . "--------------------------------------------------------------------------------\n";

  $tamano = strlen($log);
  
  ($tamano > $MAX_LOG_SIZE) and die(); 
  
  for ($i = 1; 
       file_exists("($i)$LOG_FILE") and (filesize("($i)$LOG_FILE") > $MAX_LOG_SIZE - $tamano); 
       $i++);

  $handle = @fopen("($i)$LOG_FILE",'a');
  @fwrite($handle, $log);
  @fclose($handle);

  if (!isset($_COOKIE[$VISITOR_COOKIE_NAME])){  
    $handle = @fopen($COOKIE_ID_FILE, 'r+');
    $id = @fgets($handle) + 1;
    
    fseek($handle, SEEK_SET, 0);
          ftruncate($handle, 0);
 
    fputs($handle, $id);
     fclose($handle);
    
    setcookie($VISITOR_COOKIE_NAME, md5($id), time()+60*60*24*60, "/");
  }
  
  session_name($SESSION_COOKIE_NAME);
  session_start();
  
  $imagen_real = 'ifjeiojfwe.jpg';
  
  header('Content-Type: image/jpeg');
  header('Content-Length: ' . filesize($imagen_real));
  readfile('ifjeiojfwe.jpg');
?>    

Saved in "assembly.jpg" directory as index.php to fool forum software extension restrictions. (I asked permission to the admin at that time and then set my avatar to http://domain/assembly.jpg).

The forum no longer exists.

From what I see in the logs the browser that was installing the tracking cookie was Firefox 2.0 and Opera 9 but not MSIE 6 & 7. Also, this was two years ago, not four :$

Code:
2007/07/31 22:17:11

HTTP_ACCEPT => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_LANGUAGE => es
HTTP_UA_CPU => 
HTTP_ACCEPT_ENCODING => gzip,deflate
HTTP_USER_AGENT => Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
REMOTE_ADDR => 190.136.111.29
------Cookies------
100WebSpaceId => 45c48cce2e2d7fbdea1afc51c7c6ad26
surfing_session => 2a081f9b492f495cbcfea687f5e3de7f
--------------------------------------------------------------------------------
2007/07/31 23:03:14

HTTP_ACCEPT => text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_ACCEPT_LANGUAGE => es-es,en;q=0.9
HTTP_UA_CPU => 
HTTP_ACCEPT_ENCODING => deflate, gzip, x-gzip, identity, *;q=0
HTTP_USER_AGENT => Opera/9.22 (Windows NT 5.1; U; es-es)
REMOTE_ADDR => 200.117.216.187
------Cookies------
100WebSpaceId => 1c383cd30b7c298ab50293adfecb7b18
surfing_session => 45fba87809df902772f89162b379f0bc
--------------------------------------------------------------------------------
2007/07/31 22:10:29

HTTP_ACCEPT => */*
HTTP_ACCEPT_LANGUAGE => es
HTTP_UA_CPU => 
HTTP_ACCEPT_ENCODING => gzip, deflate
HTTP_USER_AGENT => Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
REMOTE_ADDR => 201.253.41.126
------Cookies------
--------------------------------------------------------------------------------
2007/08/1 00:11:43

HTTP_ACCEPT => */*
HTTP_ACCEPT_LANGUAGE => es-ar
HTTP_UA_CPU => x86
HTTP_ACCEPT_ENCODING => gzip, deflate
HTTP_USER_AGENT => Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; WinuE v6; FDM; WinuE v6)
REMOTE_ADDR => 201.252.123.91
------Cookies------
--------------------------------------------------------------------------------    
Post 31 Aug 2009, 17:32
View user's profile Send private message Reply with quote
drhowarddrfine



Joined: 10 Jul 2007
Posts: 535
drhowarddrfine
LocoDelAssembly wrote:
Does Firefox still accept installing cookies from elements not belonging to the main site domain?
No.
Post 31 Aug 2009, 20:35
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.