I think the main problem is that when I have both IE and Mozilla installed, there's no easy way to have both "Open in IE" and "Open in Mozilla" in the context menu for an html file. IE and Mozilla fight for the extension, not giving you the option to have both browsers associated with the file type. If you want to change your default browser later, and you somehow manage to find the "open with..." option in explorer (shift+right-click), you have to select from a list of every application on your system rather than just a list of web browsers.
In addition to those problems, the single-program-per-extension system forces uninstallers to be unnecessarily complex. For example, if you uninstall Mozilla, apparently it's Mozilla's responsibility to tell Windows to switch back to using IE. Mozilla can't just tell Windows "I'm not here anymore, so find another program to handle html files".
And don't even get me started on how hard it is for a browser to determine whether it's safe to open an untrusted file with its default application. Apparently the solution is to hard-code a long list of "dangerous" extensions from Microsoft's web site into your browser. At least Microsoft isn't trying very hard to establish a monopoly on secure web browsers...
It would be strange if pagedown worked in a textbox, because arrow keys don't work (in fact, they scroll back to the textbox!), and because in a textarea, pagedown has to scroll just the form control.
I don't understand why Mozilla uses emacs keybindings at all, but since it does, I think it should use a different keyboard modifier for commands and for text editing. The problem is that then you're left with no key for opening menus or jumping to web page elements with the accesskey attribute.
In a recent documentary about CCTV, Monty Python's John Cleese foiled a Visionics face-recognition system that had been set up in the London borough of Newham by wearing earrings and a beard.
I think they're actually talking about Cleese's four-episode series about faces, which did not concentrate on CCTV. There was a short segment in which Cleese tried to fool a surveillance camera by cross-dressing and then by covering most of his face with a tilted hat and large sunglasses. The camera recognized him the first time but not the second.
''We have created a biometric network platform that turns every camera into a Web browser submitting images to a database in Washington, querying for matches,''
I hope they didn't mean that literally. I'd hate to think what would happen if the camera saw a pop-under ad for the X10 spycam.
But in browsers there's another level of unpredictability that is a pain. You never know where the next tab is going to leave you. Could be any number of input forms, or a URL, or maybe you didn't realize it and your focus isn't on the page... it makes navigation with a keyboard near-impossible.
Here are some ideas that might help:
bug 66285 use a different shortcut to navigate tabs and to navigate links
bug 67684 directional keyboard navigation: instead using Tab for "go to next focusable element", you could use Alt+Shift+right for "go to closest focusable element to the right".
Web pages should use accesskeys more often. For example, on msn, you can press Alt+S to jump to the search field. Removing the search menu (bug 67414) from Mozilla would make it easier for page authors to use the Alt+S shortcut, giving accesskeys a much higher chance of becoming ubiquitous.
bug 37638 the URL bar has initial focus too often (for example, when you start the browser). It's usually better for the page in the content area to have focus, so the user can scroll the page using the keyboard. Worse, accesskeys stop working (bug 64606) when the location bar has focus
bug 66597 after searching the page, Tab should go to an element after the beginning of the selection rather than the first element on the page. Combined with inline search (find-as-you-type, with no dialog), this would make it easier to jump to links.
You should also check out the netscape.public.mozilla.accessibility newsgroup. Mozilla's accessibility team spends a lot of time making sure the browser works well with the keyboard, in part because blind users can't use pointing devices easily.
Do you realize that when the focus is in the page (> 90% of the time), almost every single keypress does absolutely nothing?
That's a good thing. It means that you don't have to check what has focus before pressing Ctrl+W (close window) or Alt+Left (back) or Ctrl+L (focus location bar). If Mozilla used single-letter keyboard shortcuts, users would find themselves stuck whenever they went to a search engine's front page.
Ahh, ok. Why would you use the other (incorrect) form of snprintf if you can use something like strncpy instead? Also, what problems does a user-specified format string cause (I don't see how it could cause a buffer overflow)?
With the rp_filter option, Linux (by default)drops packets that are spoofed to look like they come from a different network.
How can it be the default if it only happens after you enable an option?
It should be difficult to set up a router that doesn't know the the IP address range of each cable coming in and out of it. You should be required to give it that information while setting up the router unless you explicitly tell it "don't filter". I've never set up a router myself, so I don't know whether it already works like that, but I'm guessing it doesn't based on the prevalence of this security problem.
Why doesn't telnet print out a warning message when you run it? It should inform the user that the information is not encrypted for transmission, just like web browsers do when you submit a form to a web site without encryption. It could also suggest using ssh instead if the machine you're logging into supports ssh.
The problem with the "OK" button is that people quickly get conditioned to press it whenever it comes up since that's what they meant most of the time.
That's why it's a good idea to make the security warning not appear when the user tries to open a JPEG image attachment (ahem OE 6 for Win98). Actually, the worst case with OE 6 is that a multipart/signed message appears as an empty message with a text attachment and a ".dat" attachment, each of which triggers the warning dialog.
OE 6 did get one thing right: they made the security warning dialog visually distinct from other dialogs. That makes it likely that users will at least read it once.
One of his sites, per the cnet story, was cartoonnetwork.com.
I think the cnet story was trying to say he owned a misspelling of cartoonnetwork.com. It took me a few seconds to figure out what that sentence was trying to say, as well. That doesn't change the fact that many of his hits were from children, but it does mean that he didn't get hits from 60% of the people trying to find the cartoon network's web site.
Here's the sentence: "Zuccarini registered many misspellings of popular sites, such as Cartoonnetwork.com, the FTC said, in a bid to draw traffic from sloppy typists."
my site uses popups to provide modeless functionality such as settings, login, info etc... (and no, none of them 'lock' you in, or even contain any advertising). we just did it that way because it makes sense, and it makes the site 'feel' a little more like an application. howevr, if you disable pop-ups or javascript then we're screwed.
If the elements on your site that trigger your page to open new windows are links or buttons, there's a Mozilla setting people can use to allow that kind of new window while disallowing onload/onunload pop-up ads. If the site randomly throws up new windows, your users probably close 30% of them before they load thinking they are pop-up ads, so you might as well change the triggers to be links or buttons.
[Konqueror] allows you to control the behavior of the popups. Either you can let them popup, have it ask before pop'n them up, or deny them.
Since you seem to be on a platform that Konq runs on, I'll ask you: does Konq block pop-ups by default, or does it just give you the option to block them? If it blocks pop-ups by default, I'll commend its authors for being the first JS-supporting browser to ship in a state not vulnerable to the pop-up hydra DoS attack. If not, it's still good that you can block them. (I haven't checked Mac-only browsers, so I could be wrong about the "first" part.)
Some users may need to create expceptions for sites they trust, most likely those sites were written before people realized that window.open was abused so often that its use would have to be restricted. Also, some users may want to place further restrictions on all sites if they visit many malicious sites, such as "you many only open a new window if I ctrl+click a link".
I agree that security should be the default, but I think some user-visible options are also necessary in this case.
It isn't supposed to catch onmouseover and onfocus. There are legitimate uses for that.
I meant that it's supposed to prevent web pages from opening new windows while handling onmouseover and onfocus events. There are very few legitimate uses for that, and once aggressive advertisers realize they can't use the onload event, they'll use one of those instead.
Not all porn sites pay per impression. Gamma Entertainment, a company that runs several large porn sites, will pay you either $25 per sign-up (through text, banner, or pop-up links) or five cents per banner click. If your pop-up ad is annoying, nobody will intentionally click on it and sign up, and you won't get paid. They won't pay you for banner impressions at all, probably because they recieved a large number of complaints that webmasters were claiming pop-up ads as impressions.
I'm sorry this sounds like an ad. I don't work for them and if I was trying to make money from this post, I'd have created a referral-kickback link.
Had Microsoft done it, people would have complained about how they were ignoring standards and dictating standards.
I doubt it. The W3C pays very little attention to privacy and security in most of their recommendations. The fact that web sites aren't allowed to look into an <iframe src="http://www.amazon.com"> and pull out your name from the "welcome" message is not standardized anywhere, and in fact each browser has slightly different rules about what things you can pull out of and push into frames whose content is from another web site.
The W3C's ignoring security has also led to some holes that affect multiple browsers, such as web sites being able to find out whether a link is marked as visited using CSS. Yes, your boss could point you to a web site that creates invisible links to the last 200 slashdot stories, quietly counts the number that are marked as visited, and reports back to your boss how much/. you've been reading at work lately.
There are no user-visible options for what web sites are allowed to do in Mozilla, so I don't find it surprising that users complain that they're given an all-or-none choice.
A spam message wastes some of my bandwidth and a few seconds of my time. A "hydra" pop-up ad wastes some of my bandwidth and more than a few seconds of my time. The fact that I posted my e-mail address on my web site does not give you permission to use my resources to market to me. Clicking a link at a TGP (list of porn galleries) must imply a little more consent, because I obviously put up with banner ads, but I don't see why it should imply any more consent than "you may display things in this browser window". Not "you may open new browser windows or otherwise make it difficult for me to leave your site".
We deal with spam by first by black-holing rogue networks, then through government regulation, and perhaps occasionally through international pressure. Why are we skipping straight to government regulation for pop-up ads, rather than trying the black-hole approach first?
Slashdot Mirror
Along with other suggestions try putting a shortcut in %USERPROFILE%\SendTo
I use that for text editors, but it's not really convinient to put all my image viewers, web browsers, video players, etc in SentTo.
Computer users aren't using computers so they can follow instructions. That's what computers are for.
I think the main problem is that when I have both IE and Mozilla installed, there's no easy way to have both "Open in IE" and "Open in Mozilla" in the context menu for an html file. IE and Mozilla fight for the extension, not giving you the option to have both browsers associated with the file type. If you want to change your default browser later, and you somehow manage to find the "open with..." option in explorer (shift+right-click), you have to select from a list of every application on your system rather than just a list of web browsers.
In addition to those problems, the single-program-per-extension system forces uninstallers to be unnecessarily complex. For example, if you uninstall Mozilla, apparently it's Mozilla's responsibility to tell Windows to switch back to using IE. Mozilla can't just tell Windows "I'm not here anymore, so find another program to handle html files".
And don't even get me started on how hard it is for a browser to determine whether it's safe to open an untrusted file with its default application. Apparently the solution is to hard-code a long list of "dangerous" extensions from Microsoft's web site into your browser. At least Microsoft isn't trying very hard to establish a monopoly on secure web browsers...
It would be strange if pagedown worked in a textbox, because arrow keys don't work (in fact, they scroll back to the textbox!), and because in a textarea, pagedown has to scroll just the form control.
I don't understand why Mozilla uses emacs keybindings at all, but since it does, I think it should use a different keyboard modifier for commands and for text editing. The problem is that then you're left with no key for opening menus or jumping to web page elements with the accesskey attribute.
In a recent documentary about CCTV, Monty Python's John Cleese foiled a Visionics face-recognition system that had been set up in the London borough of Newham by wearing earrings and a beard.
I think they're actually talking about Cleese's four-episode series about faces, which did not concentrate on CCTV. There was a short segment in which Cleese tried to fool a surveillance camera by cross-dressing and then by covering most of his face with a tilted hat and large sunglasses. The camera recognized him the first time but not the second.
''We have created a biometric network platform that turns every camera into a Web browser submitting images to a database in Washington, querying for matches,''
I hope they didn't mean that literally. I'd hate to think what would happen if the camera saw a pop-under ad for the X10 spycam.
Here are some ideas that might help:
- bug 66285 use a different shortcut to navigate tabs and to navigate links
- bug 67684 directional keyboard navigation: instead using Tab for "go to next focusable element", you could use Alt+Shift+right for "go to closest focusable element to the right".
- Web pages should use accesskeys more often. For example, on msn, you can press Alt+S to jump to the search field. Removing the search menu (bug 67414) from Mozilla would make it easier for page authors to use the Alt+S shortcut, giving accesskeys a much higher chance of becoming ubiquitous.
- bug 37638 the URL bar has initial focus too often (for example, when you start the browser). It's usually better for the page in the content area to have focus, so the user can scroll the page using the keyboard. Worse, accesskeys stop working (bug 64606) when the location bar has focus
- bug 66597 after searching the page, Tab should go to an element after the beginning of the selection rather than the first element on the page. Combined with inline search (find-as-you-type, with no dialog), this would make it easier to jump to links.
You should also check out the netscape.public.mozilla.accessibility newsgroup. Mozilla's accessibility team spends a lot of time making sure the browser works well with the keyboard, in part because blind users can't use pointing devices easily.Do you realize that when the focus is in the page (> 90% of the time), almost every single keypress does absolutely nothing?
That's a good thing. It means that you don't have to check what has focus before pressing Ctrl+W (close window) or Alt+Left (back) or Ctrl+L (focus location bar). If Mozilla used single-letter keyboard shortcuts, users would find themselves stuck whenever they went to a search engine's front page.
Ahh, ok. Why would you use the other (incorrect) form of snprintf if you can use something like strncpy instead? Also, what problems does a user-specified format string cause (I don't see how it could cause a buffer overflow)?
With the rp_filter option, Linux (by default)drops packets that are spoofed to look like they come from a different network.
How can it be the default if it only happens after you enable an option?
It should be difficult to set up a router that doesn't know the the IP address range of each cable coming in and out of it. You should be required to give it that information while setting up the router unless you explicitly tell it "don't filter". I've never set up a router myself, so I don't know whether it already works like that, but I'm guessing it doesn't based on the prevalence of this security problem.
Why doesn't telnet print out a warning message when you run it? It should inform the user that the information is not encrypted for transmission, just like web browsers do when you submit a form to a web site without encryption. It could also suggest using ssh instead if the machine you're logging into supports ssh.
What's wrong with snprintf(buf,len,user_input)?
The problem with the "OK" button is that people quickly get conditioned to press it whenever it comes up since that's what they meant most of the time.
That's why it's a good idea to make the security warning not appear when the user tries to open a JPEG image attachment (ahem OE 6 for Win98). Actually, the worst case with OE 6 is that a multipart/signed message appears as an empty message with a text attachment and a ".dat" attachment, each of which triggers the warning dialog.
OE 6 did get one thing right: they made the security warning dialog visually distinct from other dialogs. That makes it likely that users will at least read it once.
One of his sites, per the cnet story, was cartoonnetwork.com.
I think the cnet story was trying to say he owned a misspelling of cartoonnetwork.com. It took me a few seconds to figure out what that sentence was trying to say, as well. That doesn't change the fact that many of his hits were from children, but it does mean that he didn't get hits from 60% of the people trying to find the cartoon network's web site.
Here's the sentence: "Zuccarini registered many misspellings of popular sites, such as Cartoonnetwork.com, the FTC said, in a bid to draw traffic from sloppy typists."
Do you know how the website operator did that? I had that happen to me twice while I used IE 5.5 and never figured out how it was done.
my site uses popups to provide modeless functionality such as settings, login, info etc... (and no, none of them 'lock' you in, or even contain any advertising). we just did it that way because it makes sense, and it makes the site 'feel' a little more like an application. howevr, if you disable pop-ups or javascript then we're screwed.
If the elements on your site that trigger your page to open new windows are links or buttons, there's a Mozilla setting people can use to allow that kind of new window while disallowing onload/onunload pop-up ads. If the site randomly throws up new windows, your users probably close 30% of them before they load thinking they are pop-up ads, so you might as well change the triggers to be links or buttons.
[Konqueror] allows you to control the behavior of the popups. Either you can let them popup, have it ask before pop'n them up, or deny them.
Since you seem to be on a platform that Konq runs on, I'll ask you: does Konq block pop-ups by default, or does it just give you the option to block them? If it blocks pop-ups by default, I'll commend its authors for being the first JS-supporting browser to ship in a state not vulnerable to the pop-up hydra DoS attack. If not, it's still good that you can block them. (I haven't checked Mac-only browsers, so I could be wrong about the "first" part.)
Those who would trade essential scientific exploration for a temporary increase local social programs deserve neither.
Some users may need to create expceptions for sites they trust, most likely those sites were written before people realized that window.open was abused so often that its use would have to be restricted. Also, some users may want to place further restrictions on all sites if they visit many malicious sites, such as "you many only open a new window if I ctrl+click a link".
I agree that security should be the default, but I think some user-visible options are also necessary in this case.
It isn't supposed to catch onmouseover and onfocus. There are legitimate uses for that.
I meant that it's supposed to prevent web pages from opening new windows while handling onmouseover and onfocus events. There are very few legitimate uses for that, and once aggressive advertisers realize they can't use the onload event, they'll use one of those instead.
Not all porn sites pay per impression. Gamma Entertainment, a company that runs several large porn sites, will pay you either $25 per sign-up (through text, banner, or pop-up links) or five cents per banner click. If your pop-up ad is annoying, nobody will intentionally click on it and sign up, and you won't get paid. They won't pay you for banner impressions at all, probably because they recieved a large number of complaints that webmasters were claiming pop-up ads as impressions.
I'm sorry this sounds like an ad. I don't work for them and if I was trying to make money from this post, I'd have created a referral-kickback link.
Had Microsoft done it, people would have complained about how they were ignoring standards and dictating standards.
/. you've been reading at work lately.
I doubt it. The W3C pays very little attention to privacy and security in most of their recommendations. The fact that web sites aren't allowed to look into an <iframe src="http://www.amazon.com"> and pull out your name from the "welcome" message is not standardized anywhere, and in fact each browser has slightly different rules about what things you can pull out of and push into frames whose content is from another web site.
The W3C's ignoring security has also led to some holes that affect multiple browsers, such as web sites being able to find out whether a link is marked as visited using CSS. Yes, your boss could point you to a web site that creates invisible links to the last 200 slashdot stories, quietly counts the number that are marked as visited, and reports back to your boss how much
The real question is, is this a violation of the owner's civil liberties...
No. Your right to swing your javascript stops where my browser's chrome starts.
There are no user-visible options for what web sites are allowed to do in Mozilla, so I don't find it surprising that users complain that they're given an all-or-none choice.
You can get some documentation on Mozilla's configurable security policies here, and you can also test the new hidden pref to prevent web pages from opening new windows while they are loading or while the user is leaving the page. Note that the new hidden pref is still buggy: it catches some things it shouldn't, such as clicking a javascript: link in a page while the page is still loading, and fails to catch cases like onmouseover and onfocus.
A spam message wastes some of my bandwidth and a few seconds of my time. A "hydra" pop-up ad wastes some of my bandwidth and more than a few seconds of my time. The fact that I posted my e-mail address on my web site does not give you permission to use my resources to market to me. Clicking a link at a TGP (list of porn galleries) must imply a little more consent, because I obviously put up with banner ads, but I don't see why it should imply any more consent than "you may display things in this browser window". Not "you may open new browser windows or otherwise make it difficult for me to leave your site".
We deal with spam by first by black-holing rogue networks, then through government regulation, and perhaps occasionally through international pressure. Why are we skipping straight to government regulation for pop-up ads, rather than trying the black-hole approach first?