Slashdot Mirror

As long as the browser has the ability to respond to all pings or respond to some pings or respond to no pings, depending on a user pref, I think the default should be to respond to all pings. Just like when I load slashdot.org they link in Javascript scripts from TWO different 3rd parties (Google Analytics and something else). These pings don't do anything different than URLs like http://www.example.com/redirect.cgi?http://www.foo bar.org do. In fact, the pings discourage the use of lame URLs like http://www.example.com/redirect.cgi?s0m3_w3bs1t3 where you have no idea where you're headed until you click the link, so in that sense they'd be a marked improvement.

Adding a ping attribute to links isn't anything resembling spyware, and it doesn't, as a lot of people seem to think, make the web a worse place to be. It adds a polite way for websites to ask for click information. They don't intrude any more than redirects do, but instead of seeing:

http://www.example.com/tracker.cgi?go=http://www.e xample.com/nextpage

or the more obnoxious:

http://www.example.com/go?id=fluffernutter

in the status bar, users will see:

http://www.example.com/nextpage

and in addition, they will have the ability to easily turn off the pinging. There are javascript bookmarklets that get around the first style, but nothing that gets around the second style. The third style will make it a browser preference. Anyone who thinks that most users spend a whole lot of time thinking about the urls of links that they are clicking on probably isn't thinking right.

max

Adding a ping attribute to links isn't anything resembling spyware, and it doesn't, as a lot of people seem to think, make the web a worse place to be. It adds a polite way for websites to ask for click information. They don't intrude any more than redirects do, but instead of seeing:

http://www.example.com/tracker.cgi?go=http://www.e xample.com/nextpage

or the more obnoxious:

http://www.example.com/go?id=fluffernutter

in the status bar, users will see:

http://www.example.com/nextpage

and in addition, they will have the ability to easily turn off the pinging. There are javascript bookmarklets that get around the first style, but nothing that gets around the second style. The third style will make it a browser preference. Anyone who thinks that most users spend a whole lot of time thinking about the urls of links that they are clicking on probably isn't thinking right.

max

Adding a ping attribute to links isn't anything resembling spyware, and it doesn't, as a lot of people seem to think, make the web a worse place to be. It adds a polite way for websites to ask for click information. They don't intrude any more than redirects do, but instead of seeing:

http://www.example.com/tracker.cgi?go=http://www.e xample.com/nextpage

or the more obnoxious:

http://www.example.com/go?id=fluffernutter

in the status bar, users will see:

http://www.example.com/nextpage

and in addition, they will have the ability to easily turn off the pinging. There are javascript bookmarklets that get around the first style, but nothing that gets around the second style. The third style will make it a browser preference. Anyone who thinks that most users spend a whole lot of time thinking about the urls of links that they are clicking on probably isn't thinking right.

max

Ahh, right, I see. Interesting approach. I was thinking about using alternative hostnames to do a similar thing, so that no changes to the code need to take place for the testing - e.g. http://normal.test.example.com/ http://noajax.test.example.com/ http://nojavascript.test.example.com/ etc.

Ahh, right, I see. Interesting approach. I was thinking about using alternative hostnames to do a similar thing, so that no changes to the code need to take place for the testing - e.g. http://normal.test.example.com/ http://noajax.test.example.com/ http://nojavascript.test.example.com/ etc.

Ahh, right, I see. Interesting approach. I was thinking about using alternative hostnames to do a similar thing, so that no changes to the code need to take place for the testing - e.g. http://normal.test.example.com/ http://noajax.test.example.com/ http://nojavascript.test.example.com/ etc.

Isn't it risky having your webserver automatically hit a file that is specified by a user? A user that is clearly untrusted as you are needing validation of all the image.

Will your site be obeying robots.txt? If so then validation is pointless just add deny line into robots.txt. Some sites don't appreciate being hit by half the webservers in the world at once because someone added there image to a forum. Couldn't this be used as a way of launching DDOS attacks against any webserver that hosts an image?

You seem to be forgeting that webservers have the abillity to lie when serving up any file. If the automatic load is imediate then simply use a server side script, like PHP server the image and for the first N number of hits log IP and server a valid .jpg file. The websevers IP is not going to change, unless you have multipule servers which only big sites can aford. Whenever a hit comes in for one of the first used IPs server a valid .jpg just incase its a validation check. Using things like apache's rewrite you could have a url like http://www.example.com/bad/image/12345/file.jpg which would pass name validation which could easilly be changed to http://www.example.com/badImage.php?src=12345 and for every differant src restart the process of monitoring the first few hits. That way a user can use the same bad image for any site that allows image submission.

Remove image-posting privilege or ban from the forum anyone whose image submissions are removed (or fail) on a sufficient number of occasions
Closing stable door after horse has bolted. Automatic checks can be falsified as shown above. Human checks can take to long. Plus if the attack is subtle enough te infected user won't no where it came from. If its sever enough the user might be unable to inform the site or may be more worried about recovering there PC. By which time enough people will have been hit by the image.

Although I mentioned a specific way of avoiding that kind of validation there are of course numerous other ossible attacks.

Make "show user-submitted inline images" an option that visitors to the site have to specifically enable, which involves accepting an agreement.
I do agree completely with this. However its more of a legal solution then a technical solution. Of course users can block images from there browser or block remote images (just make sure you don't allow users to upload an image. However uploaded images can be validated, block wmf based on begining of file.)

The real problem is browsers see an image and assume its safe to try and display it. How could it possibly do damage? Oh dear some moron decided it would be OK to allow an image file to include executable code. A browser won't download an executable and run it for you without asking just because someone stuck it on a webpage but it seems its OK to do this with an image.

Everytime you allow contant to be inserted into your webpage thats not your content then you run this risk. And its not just things like forums or comments. Retreiving RSS fees and adding them to your page is adding externel content, as is using advert scripts like googles. The only safe way would be to avoid any user submited data at all.

Just released that you could of course require all images to be moderated by a human before being displayed att all, however this would reduce usabillity as the image could be an important part of the post and depending on how many staff you got on your site and your sites size it may take a while to get through all the images. Plus how many people would agree to "look at this image to make sure it don't destroy a user computer", would you be willing to risk your machine? not without one hell of an incentive!!!

Isn't it risky having your webserver automatically hit a file that is specified by a user? A user that is clearly untrusted as you are needing validation of all the image.

Will your site be obeying robots.txt? If so then validation is pointless just add deny line into robots.txt. Some sites don't appreciate being hit by half the webservers in the world at once because someone added there image to a forum. Couldn't this be used as a way of launching DDOS attacks against any webserver that hosts an image?

You seem to be forgeting that webservers have the abillity to lie when serving up any file. If the automatic load is imediate then simply use a server side script, like PHP server the image and for the first N number of hits log IP and server a valid .jpg file. The websevers IP is not going to change, unless you have multipule servers which only big sites can aford. Whenever a hit comes in for one of the first used IPs server a valid .jpg just incase its a validation check. Using things like apache's rewrite you could have a url like http://www.example.com/bad/image/12345/file.jpg which would pass name validation which could easilly be changed to http://www.example.com/badImage.php?src=12345 and for every differant src restart the process of monitoring the first few hits. That way a user can use the same bad image for any site that allows image submission.

Remove image-posting privilege or ban from the forum anyone whose image submissions are removed (or fail) on a sufficient number of occasions
Closing stable door after horse has bolted. Automatic checks can be falsified as shown above. Human checks can take to long. Plus if the attack is subtle enough te infected user won't no where it came from. If its sever enough the user might be unable to inform the site or may be more worried about recovering there PC. By which time enough people will have been hit by the image.

Although I mentioned a specific way of avoiding that kind of validation there are of course numerous other ossible attacks.

Make "show user-submitted inline images" an option that visitors to the site have to specifically enable, which involves accepting an agreement.
I do agree completely with this. However its more of a legal solution then a technical solution. Of course users can block images from there browser or block remote images (just make sure you don't allow users to upload an image. However uploaded images can be validated, block wmf based on begining of file.)

The real problem is browsers see an image and assume its safe to try and display it. How could it possibly do damage? Oh dear some moron decided it would be OK to allow an image file to include executable code. A browser won't download an executable and run it for you without asking just because someone stuck it on a webpage but it seems its OK to do this with an image.

Everytime you allow contant to be inserted into your webpage thats not your content then you run this risk. And its not just things like forums or comments. Retreiving RSS fees and adding them to your page is adding externel content, as is using advert scripts like googles. The only safe way would be to avoid any user submited data at all.

Just released that you could of course require all images to be moderated by a human before being displayed att all, however this would reduce usabillity as the image could be an important part of the post and depending on how many staff you got on your site and your sites size it may take a while to get through all the images. Plus how many people would agree to "look at this image to make sure it don't destroy a user computer", would you be willing to risk your machine? not without one hell of an incentive!!!

In the Mixed content model section, it gives a hyperlink example in which the Microsoft example doesn't show the reference http://example.com/ so it isn't equivalent to the ODF example.

WOW, Beatles has such an awesome site I of course wanted to make a backup in case it ever goes down. Of course I want my backup to be have only the most recent data, so I keep my backups as fresh as possible. I also make backups of similar amazing sites strangers sometime send me links to via email...

Maybe someone could help me out. Normally I let this run at night...

site-backup-list.txt
http://george-harrison.info/
http://othersites.example.com/
make-backup-sites.bat
:repeat
wget -r -l 999 --proxy=off -i site-backup-list.txt
goto repeat

Sadly, george-harrison.info returns 503 Unknown Site errors to wget. Does someone know how I may be able to make backups of their site in an automated fasion, preferrably from the command line?

In fact, there was a rumor that Zend bought and killed http://sourceforge.net/projects/turck-mmcache/, the best accelerator out there because it competed with their commercial product.

Did they not buy and Kill Turck MMChache but hired the main developper to work for them thereby "killing" the project.

IMO PHP is great for doing many things it will never replace C/C++ or JAVA but its a quick and simple solution. and Yes there are many bad php scripts out there. theres also a really bad web browser with many security holes let it go nothing will ever be perfect.

Yes there are many features that could use to improve itself but the idea behind PHP is quick and easy. the cost of bulding a program usually rely on the programmers not on the hardware and if you are into making a big site just install APC yourself who cares if a compiler is built in the default. for your default needs it doesn't matter hardware is relatively dirt cheap to your programming costs. What makes php so good and popular is that to write to the screen you don't need 4 classes of buffers and such you go echo to get the contents of a file be it web or not you go file_get_contents(http://www.example.com/ and voila you get stuff done quicker. its not optimized but really you'll get more impact on a script if you have a good algorythm than if you do some real hard core optimizations (like taking MM turk over APC or another that compile first the scripts)

and lets not even talk about the community surrounding PHP with so many open source classes to speed up development. that the power of PHP.

As a side note my wishlist for PHP includes overloading and type hinting/auto converting before namespaces.

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your message is about.
     * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     Allowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your message

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your message is about.
     * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     Allowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your message

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.

if a company truely has a global scope and a physical presence in multiple countries a .com is approprate so why not just
http://us.example.com/ http://uk.example.com/ http://fr.example.com/ ect? I think its pathetic that "Ginnies home made mulled cider" finds it easier to register a .com than a .ca.

if a company truely has a global scope and a physical presence in multiple countries a .com is approprate so why not just
http://us.example.com/ http://uk.example.com/ http://fr.example.com/ ect? I think its pathetic that "Ginnies home made mulled cider" finds it easier to register a .com than a .ca.

if a company truely has a global scope and a physical presence in multiple countries a .com is approprate so why not just
http://us.example.com/ http://uk.example.com/ http://fr.example.com/ ect? I think its pathetic that "Ginnies home made mulled cider" finds it easier to register a .com than a .ca.

If TinyURL didnt like this, seems like they could trivially add a check to see if URL's they are given actually exist by accessing them. If they get a 404, dont accept. For those sites that give a redirect instead of a 404, follow the redirects until they get to a page that actually answers, and use its URL instead.

Two flaws. (1) It is possible to create a loop of redirects. Of course, the solution on TinyURL's end would be to follow an arbitrary number of redirects, and declare anything that redirects more than that an invalid URL

(2) There are probably thousands of webapps that will give a valid response to URLs like the following: http://www.example.com/cgi-bin/script?ARBITRARYDAT AGOESHERE Rather than a 404

(2a) Barring that, why not just set up your own web server that returns a HTTP 200 for any URL? Hell, you don't even need to go that far, you could probably write a single line of perl that listens on port 80, and returns an HTTP 200 along with a small document in response to any HTTP request.

1. • URLs http://example.com/ will auto-link a URL Important Stuff Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account Problems regarding accounts or comment posting should be sent to CowboyNeal.

URLs
http://example.com/ will auto-link a URL

Adding /../ to a URL is not an attack. It is legitimate URL syntax.

http://example.com/ => default page of example.com
http://example.com/SomeFolder/../ => display folder contents of example.com so that user can peruse list of available pages.

The dangerous precedent that this case sets, is that typing a URL into the address bar is an attempt to gain unlawful access, rather than (as I think it *should* be interpreted) a polite request as to whether a particular page is available to the public.

Since I have automatic redirects disabled on my browser, in order to use some sites (including bt's), I need to type in the full path to the home page, and my usual method involves trial and error.

So far I have tried
http://www.bt.co.uk/
http://www.bt.co.uk/index.html
http://www.bt.co.uk/index.htm

Woah. I just made 3 unsuccessful attempts to "access" bt's site. They'll be coming to get me now.

Well, if they do, I think I have a perfectly legit counterclaim - they tried to hijack my computer by redirecting my browser to a URL that I did not type in directly.

Adelle.

Adding /../ to a URL is not an attack. It is legitimate URL syntax.

http://example.com/ => default page of example.com
http://example.com/SomeFolder/../ => display folder contents of example.com so that user can peruse list of available pages.

The dangerous precedent that this case sets, is that typing a URL into the address bar is an attempt to gain unlawful access, rather than (as I think it *should* be interpreted) a polite request as to whether a particular page is available to the public.

Since I have automatic redirects disabled on my browser, in order to use some sites (including bt's), I need to type in the full path to the home page, and my usual method involves trial and error.

So far I have tried
http://www.bt.co.uk/
http://www.bt.co.uk/index.html
http://www.bt.co.uk/index.htm

Woah. I just made 3 unsuccessful attempts to "access" bt's site. They'll be coming to get me now.

Well, if they do, I think I have a perfectly legit counterclaim - they tried to hijack my computer by redirecting my browser to a URL that I did not type in directly.

Adelle.

I'll outline the shell of it here, but you'll have to do the legwork to complete it (or hire someone who can) as it it too detailed to put in a post here.

Since PHP is pretty ubiquitous on webhosts, I'll assume PHP for the scripting.

You could do this with or without a database. I'll outline a path for doing it WITHOUT a db.

1) Make sure all your files have some sort of ID number for the filename (makes life easier).

2) Store *all* your files in a non-web accessible directory
ex. if your webroot is /username/public_html/
store your pics in /username/photos/

this way, they can't be downloaded directly from the browser.

If you can't create a directory above your webroot, then make it inside your webroot, but protect it with .htaccess

3) When a customer makes a purchase, you'll have an admin page that lets you create a 'download ticket' - when you load this page, you supply an email address and an image ID number (see #1) and it generates a 'ticket' that they can use to download the picture. (see 3a-b for details)

3a) Since this isn't Fort Knox, security doesn't need to be super tight, just enough to prevent casual sharing.
I would suggest a ticket be in a format like this.
0000-12345abc-12345678

where '0000' represents the image ID number
12345abc is the 'expiration date' encoded into base 16 (to be shorter)
12345678 - is every 4th digit of the MD5 (to keep it shorter) of the image number / date / and some secret string (that only is known to your web server)

3b) The admin page sends an email to the client using the email you provided.
"You can download your image at:
http://www.example.com/get.php?t=0000-12345abc-123 45678

This link will be functional until xxx-xx-xxxx blah blah blah"

4) You have a page 'get.php' that looks at the $_REQUEST['t'] value and does a comparison.

4a) Split the ticket into its parts ('0000' , '12345abc', '12345678')
4b) Calculate the MD5 of part 1 + part 2 + 'secret string'
4c) Get every 4th char, does it equal part 3? If not, DO NOT DOWNLOAD THE FILE, if so, continue
4d) Check the date, has it expired? If so, DO NOT DOWNLOAD THE FILE, if not DOWNLOAD THE FILE (see fpassthru() in PHP)

--

Notes:

With a database, you can record number of attempts per ticket to make sure someone isn't trying to brute force access by doing an incremental attack on the checksum (part 3) as there are only 4,294,967,296 possible combinations (16^8).

You could also add some sort of logging so that you can see who has attempted to download the file, etc.

You'd also want to make sure you're properly sanitizing the input as (at some point) you'll be translating the input value to a file path, so you need to make sure there are no potential attack vectors for walking the file system (which shouldn't happen if you check your MD5 first, but it would still be possible, especially since you're only using 1/4 of the check digits).

You want to keep the URL as short as possible for downloading so that the ticket doesn't word-wrap in their email. If it breaks, it may not be clickable any more. You'll probably also want instructions so that they can enter the ticket manually on the page, if the link in their email breaks.

Arguably, if someone figured out your secret phrase (the one you use in MD5 generation) they could generate tickets to download any of your files, but the only way they should be able to do that is if they have access to your box - which if they have access to your box they already have access to your files.

--

• Place the zipfiles into a directory readable by the webserver but not accessable over HTTP. Call it something like /webroot/private
• Create a second directory, writable by your shopping cart script and HTTP-accessable. Call it something like /webroot/orders
• When a customer places and order, have the script create a symbolic link from the private directory to an order-specific filename in the public directory (an MD5 sum of e.g. the time + process id might make an appropriate filename)
• Provide a link to the symlinked file in the customer's receipt

In the script:
ln -s /webroot/private/CONTENT.zip /wehroot/orders/RANDOM_FILENAME.zip

In the receipt:
<a href="http://example.com/orders/RANDOM_FILENAME.zi p">Click here to download</a>

(Thank you slashcode for clobbering that code - get rid of the space in 'zip' and the '[example.com]' string, above)

This isn't foolproof since customers can still pass the URL on to others. If they do though, you'll know who did it based on the order-specific filename.

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
       Allowed HTML
     

     
        

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
       Allowed HTML
     

     
        

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
             * Please try to keep posts on topic.
             * Try to reply to other people's comments instead of starting new threads.
             * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
             * Use a clear subject that describes what your message is about.
             * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your message is about.
     * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     Allowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your mess

1. • 
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your message is about.
     * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     Allowed HTML
     

     
     

     
     URLs
     http://example.com/ will auto-link a URL
     Important Stuff
     
     * Please try to keep posts on topic.
     * Try to reply to other people's comments instead of starting new threads.
     * Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     * Use a clear subject that describes what your mess

In short, it's theoretically possible for a site to be receiving information about pretty much every action you carry out within a browser window, and practically *quite* possible (and likely) for less than trustworthy sites to be receiving information you'd rather they didn't (if you knew about it); I could go further, but the article pretty much explains it well.

This is a problem with Javascript in general, not a problem with AJAX per se. It's been possible to leak information in this manner since Netscape 2.0 - you just swap in an image with the URL http://www.example.com/image.gif?timestamp-mysensi tiveinformation.

Basically, if you don't want a website to know how you are interacting with a page on that website, you need to switch off Javascript altogether.

http://example.com/

"Not" should be capitalised, quotation marks should encapsulate "voila", a comma should follow "capitalised", and the sentence should end with a period.

There is no reason to make a statement like "they're going to kill me for the bandwidth this uses" when we have resources like the Coral cache. If you're linking to something you fear will use a lot of bandwidth if it becomes popular, Coralize it.

Normal URL: http://example.com/big.jpg

Coralized: http://example.com.nyud.net:8090/big.jpg

Parent is 100% correct in linking to a Coralized version of the image.

On a different note: Slow Down Cowboy! Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment. It's been 1 minute since you last successfully posted a comment Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator. Re:Easy solution to phone spam... Re:Easy solution to phone spam... (Score:2) by Dr_LHA (30754) Neutral on 2005-09-05 11:13 (#13483199) ( http://slashdot.org/ ) Verizon, Cingular, T-Mobile, etc, need to start charging sensibly Out of that list, only Verizon charge for an incoming SMS. They used to charge 2c a SMS, but have now upped it to 10c. No other cell phone company does this as far as I know. [ Reply to This ] Preview Comment Re:Easy solution to phone spam... (Score:) by squiggleslash (241428) on 2005-09-05 11:19 ( Last Journal: 2005-09-05 1:05 ) Alas, that's not true. T-Mobile charges 5c per incoming SMS. Cingular charges 10c. AT&T Wireless, until they were absorbed, were pretty much the only major US operator that didn't charge for incoming SMS messages. Cingular doesn't charge AT&T customers who are still on old AT&T plans for incoming messages, but those who have certainly are charged. -- RIAA vs MPAA, Copyrights vs Patents, etc [slashdot.org] [ Reply to This ] Post Comment Name squiggleslash [ Log Out ] Subject Comment Alas, that's not true. T-Mobile charges 5c per incoming SMS. Cingular charges 10c. AT&T Wireless, until they were absorbed, were pretty much the only major US operator that didn't charge for incoming SMS messages. Cingular doesn't charge AT&T customers who are still on old AT&T plans for incoming messages, but those who have certainly are charged. (Use the Preview Button! Check those URLs!) No Karma Bonus No Subscriber Bonus Post Anonymously Allowed HTML

1. • URLs http://example.com/ will auto-link a URL Important Stuff # Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal. [ faq | code | awards | journals | subscribe | older stuff | rob's page | preferences | submit story | advertising | supporters | past polls | topics | about | bugs | tech jobs | hof ] What is algebra, exactly? Is it one of those three-cornered things? -- J.M. Barrie All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest © 1997-2005 OSTG. rss

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     
     # Please try to keep posts on topic.
     # Try to reply to other people's comments instead of starting new threads.
     # Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     # Use a clear subject that describes what your message is about.
     # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     # If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     Allowed HTML

     
        

     
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     
     # Please try to keep posts on topic.
     # Try to reply to other people's comments instead of starting new threads.
     # Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     # Use a clear subject that describes what your message is about.
     # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     # If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     
     # Please try to keep posts on topic.
     # Try to reply to other people's comments instead of starting new threads.
     # Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     # Use a clear subject that describes what your message is about.
     # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     # If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     Allowed HTML

     
        

     
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     
     # Please try to keep posts on topic.
     # Try to reply to other people's comments instead of starting new threads.
     # Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     # Use a clear subject that describes what your message is about.
     # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     # If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.

No? Then at least one fundamental point is different between the two OSes.

Slashdot News for nerds, stuff that matters [ faq | code | awards | journals | subscribe | older stuff | rob's page | preferences | submit story | advertising | supporters | past polls | topics | about | bugs | tech jobs | hof ] Slow Down Cowboy! Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment. It's been 9 minutes since you last successfully posted a comment Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator. Preview Comment So... (Score:) by Anonymous Coward on 2005-08-31 11:15 ...are they going to move the menus to the top of the screen (from the tops of the Windows)? No? Then at least one fundamental point is different between the two OSes. [ Reply to This ] Post Comment Name RailGunner [ Log Out ] Subject Comment (Use the Preview Button! Check those URLs!) No Karma Bonus No Subscriber Bonus Post Anonymously Allowed HTML

1. • URLs http://example.com/ will auto-link a URL Important Stuff # Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal. [ faq | code | awards | journals | subscribe | older stuff | rob's page | preferences | submit story | advertising | supporters | past polls | topics | about | bugs | tech jobs | hof ] Oh, by the way, which one's Pink? -- Pink Floyd All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest © 1997-2005 OSTG. rss

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     
     # Please try to keep posts on topic.
     # Try to reply to other people's comments instead of starting new threads.
     # Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     # Use a clear subject that describes what your message is about.
     # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     # If you want replies to your comments sent to you, consider logging in or creating an account.
     
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
      

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     Use the Preview Button! Check those URLs!)
     Score: 0 (Logged-in users start at Score: 1). Create an Account!
       To confirm you're not a script,
     please type the word in this image:
         Plain Old Text HTML Formatted Extrans (html tags to text) Code
     Allowed HTML

     
        

     
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     Use the Preview Button! Check those URLs!)
     Score: 0 (Logged-in users start at Score: 1). Create an Account!
       To confirm you're not a script,
     please type the word in this image:
         Plain Old Text HTML Formatted Extrans (html tags to text) Code
     Allowed HTML

     
        

     
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
       all of slashdot
     
     now fuck off niggers
     
     All your geek identity are belong to US
     
     (Use the Preview Button! Check those URLs!)
     Score: 0 (Logged-in users start at Score: 1). Create an Account!
       To confirm you're not a script,
     please type the word in this image:
         Plain Old Text HTML Formatted Extrans (html tags to text) Code
     Allowed HTML

     
        

     
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     

1. • 
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
       all of slashdot
     
     now fuck off niggers
     
     All your geek identity are belong to US
     
     (Use the Preview Button! Check those URLs!)
     Score: 0 (Logged-in users start at Score: 1). Create an Account!
       To confirm you're not a script,
     please type the word in this image:
         Plain Old Text HTML Formatted Extrans (html tags to text) Code
     Allowed HTML

     
        

     
     URLs http://example.com/ will auto-link a URL
     Important Stuff
     Please try to keep posts on topic.
     Try to reply to other people's comments instead of starting new threads.
     Read other people's messages before posting your own to avoid simply duplicating what has already been said.
     Use a clear subject that describes what your message is about.
     Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
     If you want replies to your comments sent to you, consider logging in or creating an account.
     Problems regarding accounts or comment posting should be sent to CowboyNeal.
     
     

This has to do with their use of WebObjects for the online store. While it's not impossible to provide bookmarkable URLs it's a whole lot more difficult than the standard WO behavior where the URLs are all generated on the fly on a per-session basis.

In fact, as far as I'm aware WebObjects has absolutely _zero_ concept of translating URLs into any sort of file system path. For that you have to write a new request handler.

By default you get wo and wa. So http://example.com/Example.woa/wa/foo/bar actually looks for a method named bar() in a class named foo whereas http://example.com/Example.woa/wo/lkSsfAF42oiu48S9 D2R0A/1.2.3.4 looks for the session with the hash lkS.... and then figures out which page the user is coming from and calls a method in its class based on which element (A HREF or INPUT button or whatever) the user clicked. It knows which element the user clicked because the HREF for that element is that 1.5.3.4.2.1 crap based off of its location in the WO component.

If you are really curious you can now download WebObjects for free as it's now part of the Xcode 2.1 tools. Documentation is online as well.

This has to do with their use of WebObjects for the online store. While it's not impossible to provide bookmarkable URLs it's a whole lot more difficult than the standard WO behavior where the URLs are all generated on the fly on a per-session basis.

In fact, as far as I'm aware WebObjects has absolutely _zero_ concept of translating URLs into any sort of file system path. For that you have to write a new request handler.

By default you get wo and wa. So http://example.com/Example.woa/wa/foo/bar actually looks for a method named bar() in a class named foo whereas http://example.com/Example.woa/wo/lkSsfAF42oiu48S9 D2R0A/1.2.3.4 looks for the session with the hash lkS.... and then figures out which page the user is coming from and calls a method in its class based on which element (A HREF or INPUT button or whatever) the user clicked. It knows which element the user clicked because the HREF for that element is that 1.5.3.4.2.1 crap based off of its location in the WO component.

If you are really curious you can now download WebObjects for free as it's now part of the Xcode 2.1 tools. Documentation is online as well.

Forgive me if I'm misunderstanding, but what's wrong with putting (in plain text - I can't convince the slashcode to not automatically convert this to a link) something like:

see our recent product additions:
http://www.example.com/new_products.html

Or do you REALLY CARE that much if there happens to be a "www" in the location bar?

It's got nothing to do with the location bar. http://example.com/foo.html and http://www.example.com/foo.html are completely different resources as far as HTTP is concerned, and they are cached separately. This drives down cache hits, wasting bandwidth and increasing server load.

Or do you REALLY CARE that much if there happens to be a "www" in the location bar?

It's got nothing to do with the location bar. http://example.com/foo.html and http://www.example.com/foo.html are completely different resources as far as HTTP is concerned, and they are cached separately. This drives down cache hits, wasting bandwidth and increasing server load.

A few issues:

1) "Can I please reload my configuration file
without restarting my server?"

There would be issues opening/closing the sessions in which people would get screwed over anyway.

2) "Why do I have to set up two separate vhosts
for http://example.com/ and https:///
example.com/ when they're the same
website?"

Well, because they should be different sites. Why would you have secure content being fed over an unencrypted route? Are you stupid or just want to dick around with your website?

3) "Why isn't there a simple "log out" method for
Basic authentication? We've only been asking
for it since 1993."

Is there an accepted standard yet? This is in the docs, btw.

4) "Come on folks. Netscape added client-side
image maps in 1995!"

Silly to support, but why should someone just drop support for a functionality when there's no reason to?

I would go on, but this PDF ::sigh:: file seems to be written by a 14 year old, even though it has Asbury College written all over it. Maybe he should start using ISS?

Options +Indexes Includes MultiViews
Options Indexes Includes Multiviews

The first of these forbids Indexes. The second one permits them. Huh?

Disclaimer
"But that's not supported syntax!"
Then it should throw an error and break, not do something utterly unexpected. Unfortunately, several major Linux distros ship with this broken-but-almost-looks-right configuration, or variants thereof

Example 2
Vhosts ... wow, don't get me started

# My IP address is 192.168.1.200
NameVirtualHost *:80
<VirtualHost 192.168.1.200:80>
...
</VirtualHost>

That vhost is silently ignored. Yeah. That's intuitive.

Discussion
"But the docs say not to do that!" Yes, I know. I wrote that line in the docs. It's still really irritating.

Another ...

Require Valid-user

Unlike every other Apache config setting, "Require" is case sensitive, so that's not valid valid_user would be nice too. Oh, and "Require User" and "Require Group" don't work either.

Missing (asked daily on IRC)
- Can I set a variable and use it later?
- Can I have an if/else syntax?
- Can I please reload my configuration file without restarting my server?
- How do I make ServerTokens return "Bob's Handy Dandy HTTP Server"? (Yes, this is silly, but it would sure shut a lot of people up finally.)

What else? mod_imap: how many of you have actually used that module? How many of you who are not committers know what it does? Why is it on by default? Come on folks. Netscape added client-side image maps in 1995!

And while we're on the topic mod_cern_meta: Who even knows what this module does? For the record, yes, I do. But I doubt any of you have ever used it.

CONFUSING
NumServers ServerLimit ThreadLimit ThreadsPerChild StartThreads StartServers MaxSpareThreads MinSpareServers MaxSpareServers MinSpareThreads MaxClients MaxThreadsPerChild MaxRequestsPerChild MaxRequestsPerThread ThreadStackSize
Oh sweet God make it stop

What's that directive called?
RLimitMem, RLimitCPU, RLimitNProc? I have to look these up every time. Of course, since they don't seem to do what the docs say, maybe that's not a bad thing.

Am I running out of time yet?
- Why do I have to set up two separate vhosts for http://example.com/ and https://example.com/ when they're the same website?
- Why are dynamic vhosts so darned hard?
- Why doesn't the default configuration file match the "security tips" document?

mod_rewrite
I probably don't need to say anything more than just "mod_rewrite". But I will: "Voodoo" and "... flexibility of sendmail". The docs practically scream "GO AWAY!"

RewriteMap
Nice, but have you ever found an actual useful example? Oh, and the example script for generating db map files doesn't actually work. (Note: Paul fixed this 2 weeks ago. See httxt2dbd)

How about this?
If I want these two aliases to work, I have to:

Alias /foo/bar

Options +Indexes Includes MultiViews
Options Indexes Includes Multiviews

The first of these forbids Indexes. The second one permits them. Huh?

Disclaimer
"But that's not supported syntax!"
Then it should throw an error and break, not do something utterly unexpected. Unfortunately, several major Linux distros ship with this broken-but-almost-looks-right configuration, or variants thereof

Example 2
Vhosts ... wow, don't get me started

# My IP address is 192.168.1.200
NameVirtualHost *:80
<VirtualHost 192.168.1.200:80>
...
</VirtualHost>

That vhost is silently ignored. Yeah. That's intuitive.

Discussion
"But the docs say not to do that!" Yes, I know. I wrote that line in the docs. It's still really irritating.

Another ...

Require Valid-user

Unlike every other Apache config setting, "Require" is case sensitive, so that's not valid valid_user would be nice too. Oh, and "Require User" and "Require Group" don't work either.

Missing (asked daily on IRC)
- Can I set a variable and use it later?
- Can I have an if/else syntax?
- Can I please reload my configuration file without restarting my server?
- How do I make ServerTokens return "Bob's Handy Dandy HTTP Server"? (Yes, this is silly, but it would sure shut a lot of people up finally.)

What else? mod_imap: how many of you have actually used that module? How many of you who are not committers know what it does? Why is it on by default? Come on folks. Netscape added client-side image maps in 1995!

And while we're on the topic mod_cern_meta: Who even knows what this module does? For the record, yes, I do. But I doubt any of you have ever used it.

CONFUSING
NumServers ServerLimit ThreadLimit ThreadsPerChild StartThreads StartServers MaxSpareThreads MinSpareServers MaxSpareServers MinSpareThreads MaxClients MaxThreadsPerChild MaxRequestsPerChild MaxRequestsPerThread ThreadStackSize
Oh sweet God make it stop

What's that directive called?
RLimitMem, RLimitCPU, RLimitNProc? I have to look these up every time. Of course, since they don't seem to do what the docs say, maybe that's not a bad thing.

Am I running out of time yet?
- Why do I have to set up two separate vhosts for http://example.com/ and https://example.com/ when they're the same website?
- Why are dynamic vhosts so darned hard?
- Why doesn't the default configuration file match the "security tips" document?

mod_rewrite
I probably don't need to say anything more than just "mod_rewrite". But I will: "Voodoo" and "... flexibility of sendmail". The docs practically scream "GO AWAY!"

RewriteMap
Nice, but have you ever found an actual useful example? Oh, and the example script for generating db map files doesn't actually work. (Note: Paul fixed this 2 weeks ago. See httxt2dbd)

How about this?
If I want these two aliases to work, I have to:

Alias /foo/bar