Re: [ACFUG Discuss] CMS Preferences

[Frank Moorman]

Charlie, As for autoplay and XSS attacks... Usually autoplay is through _javascript_ on the same domain. When you whitelist a domain, autoplay will usually start again. The way noscript's whitelist works is based on the source domain of the script, not the website domain. This allows a sites custom js to work, but it will stop other sites like intellitxt or ad-tracking sites. This will stop XSS listed on a different host, but it will not help you if the entire server is compromised and malicious js is on the same server. This can cause a problem if a site uses third party _javascript_ framework and does not host a copy of the framework locally. But this generally is not a good idea and most sites don't do this anyway. If they do, noscript does have an option to "allow all scripts on this page." In addition, noscript has a setting to temporary allow a domain which will let you "test" settings until the end of your browser setting. Generally, I got started with noscript for two reasons...     1) I believe in a site getting revenue through ads, so I do not use adblock, but I do not want my movement across the web tracked.     2) I occasionally have to deal with certain hotel wifi systems that used _javascript_ to inject advertising iframes. Needless to say, I am not happy (or trusting) when this happens. Charlie Arehart wrote: Nope, Frank, I don’t. I instead avoid sites that do that auto-playing. :-) I’d rather “make my vote” that way, and especially publicly when I get the chance.   I realize it’s different strokes for different folks. Those who choose to use that just need to know that there are some of us who will prefer not to visit their site (and perhaps not even use their tools) if they go that way. The CFDJ and other sys-con.com magazines suffered a lot of grief for doing the same. Anyway, I ended my note with a grinning emoticon as I realize Lance may be preferring to reach “end users” more than techies, and may be willing to trade away our concerns to wow them. :-) But perhaps others will appreciate your suggestion, so thanks for sharing it. As for it avoiding XSS attacks, well, wouldn’t you need to stop all JS to do that, not just auto-play? I’d really not want to forego all JS to avoid that risk. Just one of life’s risks we all need to weigh. I still choose to drive down a road at 50mph with cars passing me just a couple of feet away with only a yellow line separating us. :-) But if I’m misunderstanding, feel free to clarify, for me and others who may be interested.   /charlie   From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Frank Moorman Sent: Monday, January 03, 2011 4:53 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CMS Preferences   Auto playing video?  Don't you use the noscript add on for firefox? I find that makes the web much better. Just whitelist the sites you trust and avoid the web-annoyances you don't like. Its also a great tool to avoid xss attacks. Charlie Arehart wrote: Done, though I was tempted to not add it, in protest over auto-playing audio/video. ;-}   /charlie   ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------