• 0 Posts
  • 11 Comments
Joined 2 years ago
cake
Cake day: June 13th, 2023

help-circle

  • Mountaineer@lemmy.worldtoMemes@lemmy.ml"~~Don't~~ be evil"
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    This whole episode is giving me flashbacks to the ActiveX days.

    Image

    The tyranny of the default.

    “Here mum, I’ve installed Firefox for you, it’s better than Chrome in every way!”
    “My knitting circle website doesn’t work, I can’t download patterns, it says I need Chrome”

    Internet Explorer was effectively abandon-ware for a decade after Microsoft used their OS pseudo-monopoly to crush Netscape.
    It took another tech giant abusing THEIR monopoly to relegate IE to the trash heap it should have already been on.



  • Mountaineer@lemmy.worldtoMemes@lemmy.ml"~~Don't~~ be evil"
    link
    fedilink
    English
    arrow-up
    62
    arrow-down
    5
    ·
    edit-2
    1 year ago

    So you won’t use your banks website?
    Or your utilities (gas/water/electricity/internet)?
    You won’t let your kids use the portal at their school for submitting assignments?
    Your government sites for renewing your drivers license or scheduling hard refuse pickup?

    I can think of lots of reasons that will force me to have chrome installed if this goes ahead.



  • JavaScript (TypeScript) has access to cookies (and thus JWT). This should be handled by web browser, not JS. In case of log-in, in HTTPS POST request and in case of response of successful log-in, in HTTPS POST response. Then, in case of requesting web page, again, it should be handled in HTTPS GET request. This is lack of using least permissions as possible, JS should not have access to cookies.

    JavaScript needs access to the cookies, they are the data storage for a given site.
    To protect them, the browser silos them to the individual site that created them, that’s why developers haven’t been able to easily load cross domain content for years, to mitigate XSS attacks.
    The security relies on the premise that the only valid source of script is the originating domain.
    The flaw here was allowing clients to add arbitrary script that was displayed to others.
    You’re dead right that only the way to fix this is to do away with JavaScript access to certain things, but it will require a complete refactor of how cookies work.
    I haven’t done any web dev in a few years, this might even be a solved problem by now and we are just seeing an old school implementation. 🤷






  • Absolutely possible.
    The key to simple self hosting is to have a dns record that points to your externally accessible IP, whether that be your real one or an external one hosted at a VPN provider.
    If that IP changes, you’ll need to update it dynamically.

    It’s becoming increasibly common to be a requirement to do so as CGNat becomes more widespread.

    One of the newer ways to do that is with a Cloudflare Tunnel, which whilst technically is only for web traffic, they ignore low throughput usage for other things like SSH.