update RANT/tips file and LICENSE - jscancer - Javascript crap (relatively small)
(HTM) git clone git://git.codemadness.org/jscancer
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 0f8b9b4e64a50d4361b2de662d9a7c2f751fa352
(DIR) parent ba2f70be3d13bb1cedb16996d667c6a221a03f3d
(HTM) Author: Hiltjo Posthuma <hiltjo@codemadness.org>
Date: Thu, 4 Apr 2019 19:07:18 +0200
update RANT/tips file and LICENSE
Diffstat:
M LICENSE | 2 +-
M RANT_WEBTIPS | 33 +++++++++++++++++++++++++------
2 files changed, 28 insertions(+), 7 deletions(-)
---
(DIR) diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
ISC License
-Copyright (c) 2016-2018 Hiltjo Posthuma <hiltjo@codemadness.org>
+Copyright (c) 2016-2019 Hiltjo Posthuma <hiltjo@codemadness.org>
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
(DIR) diff --git a/RANT_WEBTIPS b/RANT_WEBTIPS
@@ -50,6 +50,7 @@ CSS:
Javascript:
- jslint: http://www.jslint.com/
- uglifyjs: http://lisperator.net/uglifyjs/ check "Scope warnings" options.
+ NOTE: do not use minification!
Browsers:
- Test it in all common browsers (Firefox, Firefox ESR, Chrome) and some older
versions.
@@ -115,22 +116,28 @@ CSS:
Video / audio:
- Never use DRM.
-- Preferably use open (container) formats such as webm, oggv.
-- Show the link to the file for viewing it in an external viewer.
+- Use open (container) formats such as webm, oggv.
+- Show the link to the file for viewing it in a normal movie/media player.
- Do not autoplay video and audio, this includes background video/audio:
- extremely invasive to the user.
+ extremely invasive to the user, potentially harmful to some (handicapped)
+ people.
Flash or other proprietary plugins:
- NEVER USE THEM!
-
Websockets:
- NEVER USE THEM!
+WebGL:
+- NEVER USE IT. Consider GPU kernel bugs and users exposing this to any remote
+ site... scary. It also opens options for GPU compute abuse (browser bitcoin
+ mining, side-channel attacks, memory attacks etc).
Captchas:
-- NEVER USE THEM! Consider the handicapped people.
+- NEVER USE THEM! Consider the handicapped people. A sane alternative is just
+ some question text "What is the color of a banana?". This solution is also
+ much more accessible to poor-sighted people etc.
HTTP protocol:
@@ -142,7 +149,8 @@ Cookies / localStorage:
- Try to reduce the amount of cookies, for static content there is no need to
use them. For logins Basic HTTP authentication can be used:
https://tools.ietf.org/html/rfc2617 (Section 2).
-- Don't use Javascript localStorage.
+- Don't use Javascript localStorage or session storage. This is a useless
+ technology often abused for persistent advertising tracking.
TLS (HTTPS):
@@ -196,3 +204,16 @@ Use of content-delivery networks (CDNs):
your site and make it untrusted for all clients. Some sites use so-called
"Subresource Integrity headers", but these are just another ugly standard/hack
for the ugly web.
+
+ https://torrentfreak.com/cloudflare-and-riaa-agree-on-tailored-site-blocking-process-180501/
+
+
+Misc scary things:
+- CSS keylogging: https://github.com/maxchehab/CSS-Keylogging
+- Talk "Scriptless Attacks: Stealing the Pie Without Touching the Sill".
+- Javascript rowhammer attack: https://www.vusec.net/projects/glitch/
+- Researchers show Nvidia GPUs can be vulnerable to side channel attacks:
+ https://www.techspot.com/news/77301-researchers-show-nvidia-gpus-can-vulnerable-side-channel.html
+- In-browser (local) port scanning and probing:
+ https://defuse.ca/in-browser-port-scanning.htm
+ https://github.com/joevennix/lan-js/tree/master/src