Slashdot Mirror
The Security Risks of HTML5 Development
CowboyRobot writes "Local storage is a big change from HTML of the past, where browsers could only use cookies to store small bits of information, such as session tokens, for managing identity. HTML5 changes this with sessionStorage, localStorage, and client-side databases to allow developers to store vast amounts of data in the browser that is all accessible from JavaScript. An attacker could retrieve this data or manipulate the data, which would then get used again later by the application and may be uploaded back to the server to attack others, as well. Another risk comes from using 3rd-party code. Until HTML5, JavaScript was limited to requesting resources from the domain from which it was loaded, but with the addition of cross-origin resource sharing (CORS), this has been changed to allow JavaScript to request resources from different domains. This offers increased functionality but requires strict usage policies or risks being abused."
Where remote code execution is by design.
Half the web developers out there can't even prevent simple cross site scripting let alone the dozens of other common threats that exist in web development. As with adding any other new development feature, it's just giving people who don't know any better more ammunition to shoot themselves in the foot with. There needs to be more focus on educating developers on security instead of trying to cram every new buzzword tech they can into their application.
Security risks are as stated in TFA, from the user's preferences and browser whatever. It's mostly sensationalist hyperbole. Try CNET next time as an audience. Thx.
At the minimum there should be full data encryption at the client level, that's just to start. Then there are other problems to solve (cross site code accessing information that it shouldn't be able to access)... Basically your desktop will have to solve issues that application and database servers have to solve and I can imagine this is a much more difficult task to accomplish. With application and database servers at least there are people, whose JOB it is to ensure security of the client data (from programmers to testers and administrators), but on the client side... it's very very sketchy, the number of potential problems is enormous.
You can't handle the truth.
Since when isn't it far simper to store some sort of ID in a cookie, and use that to index a database server-side where you store all of the data you need?
Storing large amounts of data in the web browser just seems like a solution to a problem that doesn't exist.
I just hope web pages continue to fallback to plain html whenever possible.. they're pushing me "off the grid" by relying on too much javascript.
developer, before the rise of the cyber-douchebag, was someone who built houses for people to live in, or maybe a shopping center or something.
engineer, before the rise of the cyber-douchebag, was someone who had to get a license in order to build machines that might hurt people if designed wrong
programmer, before the rise of the cyber-douchebag, used to be happy with their good pay and didnt need to call themselves something they werenrt.
Say, (-1, Clueless) or (-1, Clickbait)?
Seriousy, "the data, which may be uploaded back to the server to attack others, as well"? My, those are some angry key-value pairs.
Seriously, CORS - that has to be properly set up both on server and client - as more of a risk than hacked together with Flash, JS and unholy gods solutions for cross-site access that were used before?
So wait if someone has access to your pc and can change things on it there may be a security problem? This is not really different than someone being able to steal your cookie. I would say that the problem is more that people can still access your data on the local pc at a latter stage (No worse than an old fashioned desktop application). This could and most probably will be mitigated by using some form of encryption of the offline storage using your login. CORS used incorrectly will be a problem but then again you can say the same for all the current technology at the moment. All new technology is a security problem till people work out best practices. Though there are many advantages to using them. (Transparent failover of your web app as one off the top of my head)
So... where's the risk? How can my computer be put at risk?
If an app want to use localStorage, firefox prompts me for permision, and only assings 5KiB or something like that tops.
The worst scenario I can picture, is my MANUALLY authorizing literally millons of websites and them filling up my disk.
As for CORS: where's the security issue for the user? CORS is allowed for web hosts that explicitly state they support it. And again, how could that possible expose me?
Pining for the olden days is no solution. I think what we need is to recognize that creating and deploying software has consequences, and a such we need a developer license, similar to how being a surgeon or a lawyer requires a license. And we need to enforce it with hard jail time / labor camp, when yet another douchebag leaks half a million rows of user data because he copy-pastaed from Stack Exchange.
... whatever
Not true at all. I've been programming since I was 6 (now 37), have a degree in CS, and spent the first 13 years of my post-college career doing C++ programming. I transitioned to web development because I find it interesting. I work with other highly intelligent, skilled web developers. Web development has moved beyond putting together a blog. Some people, such as myself, think the challenges involved in putting together a scalable, responsive, functional, secure web app are interesting, and after reaching a bit of burnout in my C++, I feel a bit renewed. Not to mention the fact that learning how best to utilize a new set of languages and technologies has made me a better programmer all around, even benefitting the times I need to switch back to C++ mode.
Does anyone else long for the days when you could make a decent website without needing half a megabyte of javascript, a database engine and some horrendous mishmash of AJAX? When people were happy to submit things via a form element and accept a page refresh, rather than require some code screwing around in the DOM? The time when things just worked, every time, when you could browse the internet in text mode. When images were images, not javascript-powered adverts jumping out at you.
If you need anything more then HTML, CSS and forms, I hope you have a very good justification.
Why are you using client side code to store data? Bad overall concept from the get go. If you really need to store "large" amounts of data for a web session then store a session flag in the client and use encrypted sockets to transport the data to a secure server and flush the temp storage when your done.
maybe Apple will change its iTune regarding HTML5?
Speak for yourself.
Storing information on the client's computer isn't new and isn't limited to HTML5. Using JavaScript it has been possible to store/access files on the client's computer since the 90s, at least in supporting browsers. Plus, with the ability to use cookies, a creative developer could store a good deal of important information on the client for future use. There isn't anything new about this concept, except perhaps ease of storing large volumes of data.
Labor camp, or any other similar phrases, are just another term for slavery.
Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.
Oh look, even Wikipedia makes that point.
If you're a real communist you wouldn't be advocating for such shit.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
I think what we need is to recognize that creating and deploying software has consequences, and a such we need a developer license, similar to how being a surgeon or a lawyer requires a license.
But but but, how will this allow for those highly necessary H1Bs? Our economy would go down in flames!!!
The cesspool just got a check and balance.
Wrong. Why would anyone want to take on such a job?
Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money (unless they're in a junior position, but the career goal is to have your own practice, or be a "partner" in a top law firm which is mostly the same thing).
Developers and other software people aren't their own bosses, unless they're contractors. They work for corporations, and are just paid employees, no different from secretaries or janitors. They have zero control over their own work and how they do it: they have to do whatever their boss tells them to. Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?
Oh right, forgot about those. I guess we need some kind of if (has_license || is_H1Bs_worker) { do_stuff(); }, yes... yes, much better. All is well now.
... whatever
Some fun facts about exploits that are available in HTML4 but are now being said to be HTML5 based so people stop thinking about them:
JSONP - Way more dangerous than CORS due to actually executing whatever is returned.
Flash - Cause who doesn't want your saved state to be accessed by other domains? See localStorage for a saner approach.
Iframe workers - WebWorkers are nicer, only pass around data, don't have code executing that can access multiple frames.
Some notes about "exploits" concerning attack vector origin:
Plaintext cookies - Just a storage medium. Only thing of note is it is always sent over the wire. You don't send passwords and usernames over the wire unencrypted right?
Storing data on the client side as an "exploit" - Lets just throw out file systems too, do you store data in your Java/C#/... programs on disk? could something run on the machine that could access the disk?
Same domain policy - Does your Java/C#/... program have this check in place if it has to pull down updates, a client side join on your data structures, or even nested web views?
Man in the middle - Use HTTPS with a CA and cache headers. For the love of Zod, cache headers.
Most of the "new" "exploits" are just the media not understanding that these attack vectors already exist in much worse ways. Unfortunately, many of the programmers reading "HTML" and "exploit" don't think about the attack vector as it affect's their programs :-/
Historically, communist regimes had no problem with using forced labor.
Labor camp, or any other similar phrases, are just another term for slavery.
Slavery, forcing a person to work. Labor camp, forcing a person to work. Labor camp=slavery.
...snip...
If you're a real communist you wouldn't be advocating for such shit.
-- Support a free market in the field of government
what happened to the anchor thingy where a link goes to the same page but a different location?*blink*
Why should a developer be responsible for something failing when he was directed to write it in a half-ass manner by his boss?
Why should he or his boss be allowed off the hook when half a million records were just leaked? It's not so much about a license, that was an example, it is about enforcing due diligence in the business.
For instance, if you want to run a restaurant, you have to get a permit and will be subject to control visits to ensure that you comply with basic guidelines for handling food. Anyone can cook, but to be able to serve your food to other people, you have to have a permit. Same thing should apply to developers (and a whole host of other industries, but software development is the topic du jour), you can hack up a website all you want, but if you want to process payments or handle user data, get a permit and be subjected to control.
The problem is that programming is easy to begin doing, but hard to do right. And there are virtually no consequences when you screw something up royally. We've seen breach upon breach, malfunctions and abuse, yet every time it all boils down to "oops, sorry", and it fades away.
... whatever
You might not think it is worth doing things like https://www.facebook.com/, http://slashdot.org/, or http://www.amazon.com/ (to pick three well known examples of web applications). But some of us care about usefulness and/or getting paid.
-- Support a free market in the field of government
JavaScript: Where each web site has its own user account.
Web browsers are designed to handle the privilege separation in JavaScript the way operating systems handle user accounts. Each origin has its own account, and origins can't access resources associated with a different origin unless the owner of the different origin has opted into sharing the resource (CORS). Ideally, browser publishers treat violations of origin separation as seriously as OS publishers treat violations of user separation.
Labor camp, or [*snip*]
I guess the "whoosh" meme would apply here, if it hadn't already been raped and beaten to death. Well, I guess it applies nonetheless, so there ya go: whoosh.
... whatever
Surgeons and lawyers are very different professions: they own their own businesses, they're their own bosses, and they make a ton of money
You are a quite incorrect. Better pick another example to compare to if you want your argument to hold any water.
Most doctors do not own their own business and many aren't even paid all that well especially considering the hours required. The majority work for hospitals and thus are employed by someone else. The amount of money they make varies greatly by specialty. General practitioners as a rule do not actually make particularly high salaries. The lowest paid GPs have salaries of less than $90K per year with the mean somewhere around $175K. And they typically work 60-80 hours weeks to get that salary. Specialists tend to do better (though not always) and academic positions pay significantly worse than private practice as a rule of thumb. I'm married to an MD and she is not a business owner.
I don't know about lawyers quite as well but the data I've seen says about 20% are self employed. Lots of lawyers work for large law firms and most of them that do so are not partners.
We use HTML5/JS in conjunction with Apache Cordova to create Mobile Apps for iOS & Android. For most applications we're hired to do, mainly form apps really, this combo works well, we can build & deploy quickly. But everything we put into localstorage is encrypted using an AES library. User chooses a password as the key and have to reenter the password to retrieve the information. There is an option to wipe the database and clear all storage if you can't remember the password. It's simple and it keeps the data secure enough for our purposes. We're not storing credit card or other data usually. Is it foolproof, probably not, but better than nothing.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Whoops. OK, you got me.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Historically, regimes that have claimed to be representing the workers, and to be moving towards communism (just as soon as they finished oppressing the bourgeoisie) had no problem with using forced labor.
But the thing is, they never claimed that the place was communist, only that the party was, and that the country was in the transitional state.
Total bullshit of course. Hence the use of the modifier "true" on "communist". A true communist being someone who actually desires a classless stateless society where the means of production are held in common. As opposed to a functionary who merely claims to want that, but really just wants a bit more power (or even merely to not get shot for opposing the state).
I could go on about it a bit more if you desire, but I hope you get the point.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Then provide an app. If so much data needs to be stored locally then you probably wanted to deploy an app, not a web site. IMHO the web should have been stateless all along. Cookies made some things easier but were never actually required (creative solutions are required without them).
Whenever data is brought into a system, the system is subject to attack. Whether from a network connection or distribution media, exploits have always used whatever avenue of infection was available. HTML5 or JavaScript cannot change that fact.
The ease with which an exploit can be fashioned is largely dependant on the level of access given the attack vector and the complexity of the code governing that vector. From Autoplay to VNC, the more control given the remote source, the more potential for manipulation.
As we demand more from web applications and the technologies that enable them, we will open avenues of exploitation, almost by definition. New demands on developers, engineers and designers will be a natural result of this.
On the bright side, this likely means a richer employment environment for web professionals; the flip side is it probably means more jobs for web hacks, too.
So true communists want HTML without any sessions, cookies, or CSS? They can have it. And they can keep it.
The biggest problem with this is you can't really decide whether an application is safe as easy as you can with food or buildings.
With food it's pretty easy - labs can test for most of dangerous stuff, and failure is pretty visible by customers getting sick.
Buildings are harder, but computations and simulations will tell you what you need. Failure is very much visible.
With programs it's pretty much undecidable and failure can usually only be noticed by outside tools - program doesn't notice it's SQL injection flaw, only a sysadmin checking httpd's access.log will notice suspicious 'index.php?user="; select user, password from users; --'
We already have legislation to punish for improper handling of sensitive data, like credit cards or medical records. Only outcome from demanding no breaches at all from everyone would be everyone sweeping breaches under the rug. Oh, I know - let's just give government access to everyone's servers - solely to check for signs of unreported intrusions, of course! We promise we won't look anywhere else.
Or let government contractors write every official site in Completely Statically Verifiable Languages, spending ten times more time and money (and still having plenty of opportunities to fuck up) and post a notice on all other sites to the effect of "Government made us put the notice that we can't guarantee your data's safety. Don't like it - go away."
I have never seen a C++ programmer without a degree either, C++ must be pretty awesome to require a degree! You heard it on the internet, so it must be true. On a more serious note: colleges that still state that the web is not where programmers go are wrong. How many problems involve networking, and how much better is the tooling for using existing robust (HTTP) apps vs proprietary binary protocols? Also, how easy is it to add a GUI that consumes that API via a browser vs. QT, SDL, wxWidgets?
Restaurant cooks don't have licenses. The restaurants themselves do, but the cooks and other low-level employees do not.
So why are you trying to make the low-level employees bear all the responsibility, instead of their bosses and the corporations they work for?
Software developers are just like line cooks; they have no say in anything, they don't get paid much (compared to the corporation executives), so why should they have to get licenses?
Yes. I think this falls under the "No True Scotsman", but I see how you could disagree.
-- Support a free market in the field of government
Restaurant cooks don't have licenses. The restaurants themselves do, but the cooks and other low-level employees do not.
What's the difference? Either the cooks enforce the guidelines to avoid loosing their license, or the restaurant does. There is no practical difference from the view of the consumer. It is, as we would say, an implementation detail.
So why are you trying to make the low-level employees bear all the responsibility, instead of their bosses and the corporations they work for?
I'm not. Anyways, the question was asked an answered.
Software developers are just like line cooks
No, not any more or less than cooks are. In fact, you could probably find more self employed "developers" than cooks (discounting home cooking here), which is part of the overall problem. It is impossible to produce error free code, but good practises and a proper education reduces this risk enormously. But there is an misunderstanding in the rest of the world that "anybody can code", which in turn leads to self-taught imbeciles being let near critical code, and the failure of that logic is only exposed when someone gets hurt. I'm (apparently boldly) stating that it doesn't have to be that way
... whatever
I'm sorry... are you saying $175,000/ year isn't a FUCK TON of money?
Basically that is exactly what I'm saying. While no one is asking anyone to cry for the doctors, you seem to think they are incredibly wealthy which demonstrably is not true. Many do quite well in the long run but they pay a steep price to get there.First off that is gross pay and makes no allowance for cost of living in your area. $175K in NYC doesn't go far when even a crappy condo can easily cost $500K. Where I live the gross salary for a GP is more like $90-120K/year. Cut that salary number in half once taxes are taken into account. Furthermore a huge number of doctors graduate with between a quarter million to a half million in debt from their schooling. That takes $20-50K per year right off the top of their pay just in debt service. Don't forget the huge insurance costs which are in the tens of thousands of dollars. Also bear in mind that doctors are not paid for the 4 years on medical school on top of 4+ years of undergrad school and are paid a rather low salary (usually around $40K/year) while in residency which can last for between 3-8 years. That's effectively a decade or more of less than minimum wage work once you calculate the hourly wage while piling up enough debt to pay for a fairly nice house. The opportunity cost is enormous.
Did you start your career 10 years after your college educated peers with a mountain of debt and limited transferable skills? Did anyone have to pass laws to prohibit you from being forced to work more than 80+ hours a week for no extra compensation? (laws which regularly get ignored and endanger patients by the way) Have you ever been required to work 36 hour shifts without any sleep? No. You just looked at the gross salary number and decided they make just a bit less than Bill Gates and live lives of luxury and ease. The real world is a little more complicated than a gross salary figure.
60 - 80 hours a week? Welcome to minimum wage just trying to get by while supporting a family.
I've been there working very long hours for minimum wage or less. Know what? Doctors often have it worse when it comes to lifestyle. They give up a decade or more of your life training working your ass off for an hourly rate of less than minimum wage just to get started in your career with a mountain of debt. They might make a decent salary but many of them hardly get to enjoy it. I've worked a 14 hour day, and my wife who left for work before me was still at work. I've seen her pull 36 hour shifts at the hospital. Being on call means you effectively do not get any sleep and some doctors are on call as often as every 3rd or 4th night and they often don't get a day off in between. My wife spent a year or two working for minimum wage in a lab before medical school and refers to it as the happiest year of her life. Sure she had to scrape to make ends meet but her time outside of work was her own. Becoming a doctor is a objectively miserable experience and even once you begin your career the lifestyle still sucks for many doctors. I don't know how many I've spoken to who would choose another profession if they had the chance to do it all over.
FIX YOUR PERSPECTIVE!
You have no idea what my perspective is. I've been poorer than a church mouse and worked my ass off to get where I am today. I've also have worked with and lived with doctors (including my wife) and seen what they have to go through first hand. I know up close and personal what I am talking about and I'm pretty sure you do not.
I don't know where you get all this BS. Most doctors work for themselves or for a small group of doctors
How about The New England Journal of Medicine? How about NPR? How about the doctor I am married to? Hospitals hire huge numbers of doctors and the rate has been increasing in recent years dramatically.
Every time I've been to a hospital (and everyone I've ever known has), I got multiple bills, one being from the hospital, and one being from the doctor.
That has precisely nothing to do with how the doctor is compensated for his/her take home pay. While it is possible that they two are independent (there are lots of independent doctor's offices), a great many practices are actually fully owned subsidiaries of hospital systems. Just because you are not in the main hospital does not mean the hospital does not own the practice. If you look you'll often see that an outpatient clinic or seemingly independent surgery center is actually affiliated with one of the major hospital systems in your area. Hospitals have been on a buying spree for the last decade. Bills for medical care are commonly not integrated. The mere fact that you received multiple bills means very little by itself. Hospital systems also are the largest category of employer for new doctors. Just because you have some limited personal experience with a few practices doesn't mean anything regarding who actually employs doctors.
Doctors DO NOT work for hospitals.
Like hell they don't. 1 in 6 works directly for a hospital and over half work for so called integrated delivery systems which is basically the hospital's wider network. Effectively captured business or subsidiary businesses. There has been a 75% rise in the number of doctors employed directly by hospitals since 2000.
The last two places I've lived cooks did have permits.
That is in addition to license the restaurant, daycare center or other business handling food has.
For a food handler making $8 - $10 / hour, the permit requires a one-day class. If they screw up, someone might get food poisoning . For an attorney to make ten times as much, the license requires seven years of school. If they screw up, someone might go to prison.
Where on the professionalism / risk scale should web developers be? Should they require LESS training than a fry cook?
Nothing prevents you from setting up a proxy-server that changes the origin headers, to grant the whole Internet access to a resource someone wanted to be "only from their own website".
Copyright does if any of these resources qualifies as an original work of authorship. The use of CORS to control access to web fonts is an intentional example of this.
The difference is that, if you're a cook in some shitty restaurant where they don't keep stuff clean, and someone gets sick and sues the restaurant or the health board investigate, it's the restaurant and its owners who get in trouble, have to pay judgments, lose their food service license, etc. As a cook, you'll probably lose your job when the restaurant goes belly-up, but you can walk down the street to another restaurant and just get another job.
In your stupid world, software developers who are part of a team led by a shitty manager at a shitty company would be held personally liable for software defects, would have multi-million dollar judgments against them, and would never be able to work again after losing their license because of a mistake made by another team member, the boss's poor direction, the QA team's failure to catch the problem, or the upper management's failure to even have a QA team in the first place (they decided to lay off the QA department to save money and get a big bonus).
And we need to enforce it with hard jail time / labor camp, .....
Label? I'll take the bright red one with Communist written on it.
Why do you have to fall into the stereotype so well? You're not even in charge of a country yet, and you're already trying to throw people in jail.
"First they came for the slanderers and i said nothing."
Yes. I think this falls under the "No True Scotsman"
Sort of, but not really, because Marx was fairly clear defining 'socialism' as a step towards 'communism.' The Soviets even stuck 'socialist' in their name, to make clear that they were moving towards communism, but hadn't made it yet. Briefly:
Communism = "To each according to his needs, from each according to his ability."
Socialism = "To each according to his contribution."
"First they came for the slanderers and i said nothing."
Um... if you think that's all it takes to do web development, you've obviously never worked on a large scale one. Also, fyi, the people I work with range in backgrounds (civil engineers, electrical engineers, and of course so CS).
The difference is that, if you're a cook in some shitty restaurant where they don't keep stuff clean, and someone gets sick and sues the restaurant or the health board investigate, it's the restaurant and its owners who get in trouble, have to pay judgments, lose their food service license, etc. As a cook, you'll probably lose your job when the restaurant goes belly-up, but you can walk down the street to another restaurant and just get another job.
Well sure, if we absolutely want to keep the analogy alive, I suppose you could see it that way. And then what happens? Is the cook not, in part, responsible for what happened at his former workplace? Unless he's the one who called the health board, he did nobody any good, but due to his willful ignorance, he may have caused harm. Why should he go free?
In your stupid world, software developers who are part of a team led by a shitty manager at a shitty company would be held personally liable for software defects, would have multi-million dollar judgments against them, and would never be able to work again after losing their license because of a mistake made by another team member, the boss's poor direction, the QA team's failure to catch the problem, or the upper management's failure to even have a QA team in the first place (they decided to lay off the QA department to save money and get a big bonus).
You aren't really arguing against what I said, you're just shuffling blame around between pretend people. And you do not have to chose either all black or all white when implementing responsible policy. A software defect is very much a different beast than half a million leaked user records, you can choose to handle each case differently. Who knows, maybe even apply some common sense.
Fact is though, that most of the breaches and failures of software is not due to typos in the source code, or innocent "oopsies". They're caused by ignoring common security practices in the name of profit, much like you say. When that happens, I would like to see some actual consequences for the people who made those decisions, no matter where they are placed on the organisational chart.
... whatever
"Developer: a person who cuts down trees, then names streets after them."
Yep. I'm a long-time web developer, and I do a lot of thinking about security and the sorry state of it on the Internets.
Any time you decide to include third-party code in your pages, you are asking for trouble. The list of hijinx that a third-party script can cause (even with strong cross-domain protection) is limited only by the imagination of the attacker. For instance, even if they can't get at your precious session cookie or local storage data, an attacker can modify the DOM, right? And show a big, window-filling DIV that looks exactly like your login screen, complete with your own assets. Good fun.
I cringe when I see big, commercial sites that ought to no better include trackers and other code from services they do not control -- in many cases poorly-funded startups that could fold or be bought out overnight. And if someone unscrupulous gets ahold of the company, or just the domain? Boom, code injection across your entire site.
Because that's exactly what we're talking about: remote code injection as a best practice. It's the most ridiculous head-in-the-sand way to deploy software ever invented. You would never stand for this kind of thing on your desktop (running an unsigned executable over http) but for some reason it's how things are done on web pages. Sure, your browser provides a sandbox, but everything inside that sandbox (your web app!) can still get arbitrarily hacked.
Web security is a huge freaking mess, and it's going to take us a generation to undo the standard procedures and move to a place where security and privacy are more than just buzzwords.
The cook should go free (unless you can prove he's the one who poisoned someone--good luck with that) because he's making minimum wage and if he doesn't keep his job, he starves. What's more, if he calls the health board, he'll never work as a cook in that town again, since business owners always cover for each other. It's the government's job to inspect restaurants, not to rely on people to call them when there's a problem because that won't ever work.
This should be directly controllable by the end user
A single web page may already include components from a dozen origins, such as an <img> element whose src= attribute references an image from a CDN. How would you design a user interface to give the end user the power to cancel or allow every request made to a different origin without having it become as annoying as the Windows Vista behavior that made "Cancel or Allow" into a punchline?
Why is encryption something we have to afford?
Because IPv4 addresses are scarce, and because Internet Explorer for Windows XP and Android Browser on Android 2.x lack the "Server Name Indication" SSL extension required for name-based virtual hosting in HTTPS.
In Firefox for Windows and Firefox for Ubuntu, I can middle-click "Reply to This" and get the plain old form that Slashdot used to use before it went all AJAXy. Other browsers may require right-clicking "Reply to This" and choosing "Open in New Tab".
In Capitalism, man exploits man. In Socialism, it is the other way around.
The problem isn't economic/political systems, it is human nature.
PS: I'm against the dictatorship of anyone by anyone, whether it's the 1% in the US or the "dictatorship of the proletariat".
Yes, but that already occurs with poorly-designed sites.
If a web application has a legitimate reason to access resources that are behind more than one domain, what's the non-poor way to design such a web application?
If a web application lacks an offline mode, then the developer is placing the burden not on the user's machine but on the user's (increasingly capped) last-mile Internet connection.
I have no problem with requiring software developers to be licensed. However, it would probably double initial development costs at least, partly because there would need to be more review and verification, and partly because developers would have to go through the certification process, making them fewer and more expensive to hire/rent, especially for niche languages and tools.
Table-ized A.I.
I've found failures due to 3rd-party blocking to be (A) fairly rare [...] usually when I block, I simply don't see the image. Or I just see the little "broken image" symbol in my browser.
If you apply same-origin policy to images in HTML documents by default, then I fail to understand how it would be "fairly rare" for you to encounter a page that's a sea of broken images. For example, Wikipedia (upload.wikimedia.org), Wikia (nocookie.net), Google (gstatic.com), Yahoo! (yimg.com), and eBay (ebaystatic.com) all routinely host images on a separate domain from the HTML document, often to prevent repetition of the user's session cookie in the HTTP headers for each image request.
The cook should go free (unless you can prove he's the one who poisoned someone--good luck with that) because he's making minimum wage and if he doesn't keep his job, he starves.
That is just ridiculous. Nobody should be exempt from justice based on their salary, high or low. You're looking at this from the wrong side, this is not about the cook and his continued existence, it is about the numerous people that potentially got hurt by him or his colleagues. In any case, this analogy has far outlived it's usefulness.
Developers who deliver shitty work, no matter the cause, should have to answer for that. If the developer takes a short cut to produce a product, and that short cut in turn ruins the lives of a hundred people (for whatever reason), you bet he should burn. It might be his manager, his CEO, or whoever else ultimately is to blame, but I'm fucking sick of hearing of million-tuple leaks that don't have consequences - and even more sick of hearing people on here think that is a good thing.
... whatever
Hah, I don't care, but that was funny. The sig is not to be taken literally, the key word being label. As in, the label most often applied to people who have differing views, especially by politicians in the western world. It also serves as a flamebaiter, some people around here have a tendency to go straight into the red when they see it. I find that amusing.
... whatever
but that was funny.
Good.
"First they came for the slanderers and i said nothing."
Sandboxed applications running locally on a user's machine, or are you unfamiliar with the concept of sandboxing?
I'm familiar with sandboxing. But the only mass-market operating systems that use it by default for all applications are cell phone operating systems, and I think this because the expected mode of user interaction on cell phones is shallow enough to make all-or-nothing configuration of capabilities practical. I don't understand what home user is going to be willing to sit down spend time with each application to specify on which ports, using which protocols, to which hosts, each local application should be allowed to connect, or which files in which folders each application should be allowed to access.
To even the most simple-minded person this is obvious
I was trying to rule out "I feel superior to you and prefer to express this in a snarky way as if you were a student in my grade school class."
You've failed to comprehend what was written
If I failed to comprehend something, that could mean that you may have failed to express it.
Communism is great in theory. The same is said for Capitalism. However, they are both corruptible in practice.
In regards to forced labor during Communist Russia, you can read One Day in the Life of Ivan Denisovich.
Then I guess the debate is about the scope of what each "Allow" action allows. Should "Allow" allow all documents on all hosts in this domain to transclude all resources on the Web until the user says otherwise in a well-hidden settings page? Should it allow only resources on one page to transclude resources from one hostname, with the permission forgotten as soon as the user navigates away from the page?