< 1613606975 132776 :spruit11!~unknown@86-82-44-193.fixed.kpn.net QUIT :Read error: No route to host < 1613608172 896507 :spruit11!~unknown@86-82-44-193.fixed.kpn.net JOIN :#esoteric < 1613609739 93031 :arseniiv!~arseniiv@136.169.205.6 QUIT :Ping timeout: 256 seconds < 1613612370 824704 :spruit11!~unknown@86-82-44-193.fixed.kpn.net QUIT :Quit: Lost terminal < 1613612833 165681 :spruit11!~unknown@86-82-44-193.fixed.kpn.net JOIN :#esoteric < 1613615570 135382 :Lord_of_Life_!~Lord@unaffiliated/lord-of-life/x-0885362 JOIN :#esoteric < 1613615605 413790 :Lord_of_Life!~Lord@unaffiliated/lord-of-life/x-0885362 QUIT :Ping timeout: 240 seconds < 1613615653 187876 :Lord_of_Life_!~Lord@unaffiliated/lord-of-life/x-0885362 NICK :Lord_of_Life < 1613616973 887725 :paul2520_!~paul2520@paulkaefer.com JOIN :#esoteric < 1613617173 545608 :HackEso!~h@unaffiliated/fizzie/bot/hackeso QUIT :Ping timeout: 240 seconds < 1613617173 680530 :paul2520!~paul2520@unaffiliated/paul2520 QUIT :Ping timeout: 240 seconds < 1613617174 279142 :HackEso!~h@techne.zem.fi JOIN :#esoteric < 1613617174 503488 :HackEso!~h@techne.zem.fi QUIT :Changing host < 1613617174 503540 :HackEso!~h@unaffiliated/fizzie/bot/hackeso JOIN :#esoteric < 1613617181 149478 :int-e!~noone@int-e.eu QUIT :Ping timeout: 244 seconds < 1613617314 699214 :fungot!~fungot@unaffiliated/fizzie/bot/fungot QUIT :Ping timeout: 240 seconds < 1613617416 272542 :fungot!~fungot@unaffiliated/fizzie/bot/fungot JOIN :#esoteric < 1613617529 128195 :int-e!~noone@int-e.eu JOIN :#esoteric < 1613617902 364942 :clog!~nef@bespin.org JOIN :#esoteric < 1613618126 639257 :ais523!~ais523@unaffiliated/ais523 QUIT :Remote host closed the connection < 1613618198 348755 :ais523!~ais523@unaffiliated/ais523 JOIN :#esoteric < 1613618440 198081 :ais523!~ais523@unaffiliated/ais523 QUIT :Remote host closed the connection < 1613618513 501033 :ais523!~ais523@unaffiliated/ais523 JOIN :#esoteric > 1613618534 524690 PRIVMSG #esoteric :14[[07PRSCNT14]]4 10 02https://esolangs.org/w/index.php?diff=80796&oldid=80657 5* 03Hakerh400 5* (+2769) 10Add interpreter, add INP instruction for input, explain computational class, revert old examples < 1613618696 365093 :HackEso!~h@unaffiliated/fizzie/bot/hackeso QUIT :Ping timeout: 240 seconds < 1613618735 60596 :HackEso!~h@unaffiliated/fizzie/bot/hackeso JOIN :#esoteric < 1613619828 351995 :ais523!~ais523@unaffiliated/ais523 QUIT :Remote host closed the connection < 1613619902 94514 :ais523!~ais523@unaffiliated/ais523 JOIN :#esoteric < 1613620304 913646 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Read error: Connection reset by peer < 1613620337 338303 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric > 1613626022 172239 PRIVMSG #esoteric :14[[07PRSCNT14]]4 M10 02https://esolangs.org/w/index.php?diff=80797&oldid=80796 5* 03Hakerh400 5* (+1) 10/* Computational class */ < 1613626102 803878 :craigo!~craigo@144.136.206.168 JOIN :#esoteric < 1613629807 539838 :delta23!~deltaepsi@unaffiliated/deltaepsilon23 QUIT :Quit: Leaving < 1613632489 326310 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :I had designed a computer video processor before (never implemented), with its own instruction set, and during each scanline you can set the addresses for the planes and index data independently, even overlapping if you want to. < 1613632547 430058 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :Although not the intention, I later realized that one effect that can be generated with this without too much difficulty is drop shadows. At first I thought only vertical drop shadows, but later I realized how to do drop shadows in any direction (other than purely horizontally), by skewing the picture. < 1613632561 421444 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :Other effects that were not the intention are probably also possible. < 1613632579 374392 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :(As well as some that probably were the intention at first.) < 1613632700 793693 :imode!~imode@unaffiliated/imode JOIN :#esoteric < 1613633573 266976 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :Stealth Thrower {?} Creature - ? (1/1) ;; {T}: ~ deals 3 damage to target creature or planeswalker. Flip a coin; if heads, shuffle ~ and all permanents attached to it into their owner's library. < 1613633897 258134 :imode!~imode@unaffiliated/imode QUIT :Quit: WeeChat 3.0 < 1613633953 525632 :LKoen!~LKoen@136.169.9.109.rev.sfr.net JOIN :#esoteric < 1613635972 851308 :Sgeo!~Sgeo@ool-18b98aa4.dyn.optonline.net QUIT :Read error: Connection reset by peer < 1613637060 392596 :ArthurStrong!~ArthurStr@92.60.177.45 JOIN :#esoteric < 1613637231 371419 :sprock!~sprocklem@unaffiliated/sprocklem QUIT :Ping timeout: 246 seconds < 1613638281 375287 :ArthurStrong!~ArthurStr@92.60.177.45 QUIT :Ping timeout: 246 seconds < 1613639248 1861 :LKoen!~LKoen@136.169.9.109.rev.sfr.net QUIT :Read error: Connection reset by peer < 1613639284 504639 :LKoen!~LKoen@136.169.9.109.rev.sfr.net JOIN :#esoteric < 1613639389 101813 :hendursa1!~weechat@gateway/tor-sasl/hendursaga JOIN :#esoteric < 1613639441 845743 :hendursaga!~weechat@gateway/tor-sasl/hendursaga QUIT :Ping timeout: 268 seconds > 1613640524 79567 PRIVMSG #esoteric :14[[07Special:Log/newusers14]]4 create10 02 5* 03AGuy 5* 10New user account > 1613641133 904338 PRIVMSG #esoteric :14[[07Esolang:Introduce yourself14]]4 10 02https://esolangs.org/w/index.php?diff=80798&oldid=80775 5* 03AGuy 5* (+78) 10/* Introductions */ > 1613641308 563552 PRIVMSG #esoteric :14[[07Esolang:Introduce yourself14]]4 10 02https://esolangs.org/w/index.php?diff=80799&oldid=80798 5* 03AGuy 5* (+8) 10/* Introductions */ > 1613641386 777147 PRIVMSG #esoteric :14[[07Esolang:Introduce yourself14]]4 10 02https://esolangs.org/w/index.php?diff=80800&oldid=80799 5* 03AGuy 5* (+30) 10/* Introductions */ < 1613641485 826569 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Remote host closed the connection < 1613641744 517854 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric < 1613641862 5210 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :ah yes, the internet is so great. if the latest fashionable app that job wants us to use, and there's a problem with it, I can use a web search to find other people complaining about the same problem. < 1613642143 518066 :ArthurStrong!~ArthurStr@178-133-129-102.mobile.vf-ua.net JOIN :#esoteric < 1613643203 114445 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :for reference, the Microsoft Teams non-browser version does not care about Windows's locale when displaying datetimes. It has its own locale settings, but you can't set date formats, only pick a full locale that includes messages. A partial workaround is to select United Kingdom as its locale, which at least displays times like "14:00" instead of < 1613643203 670790 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :"2:00 PM" or "2:00 p.m.", but still uses a weird format for dates. < 1613643547 495021 :fizzie!fis@unaffiliated/fizzie PRIVMSG #esoteric :Are the UK dates DD/MM/YYYY? That's what I mostly see here, which I'm reasonably okay with given that it's in the "right" order, but OTOH using slashes makes it look one of those bad US dates. < 1613643681 290725 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :fizzie: it displays "Thursday, 18 February 2021 @ 14:00" as long datetime, and apparently "Yesterday" and "12/02 09:52" for abbreviated datetime, and even "12 Feb 2021 09:52" as a tooltip for that. < 1613643703 926052 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :I haven't seen "DD/MM/YYYY" yet, but perhaps I'll find it elsewhere. there are many tabs and plugins. < 1613643739 959246 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :ah yes, there's a "15/06/2020 21:51" too < 1613643860 380275 :fizzie!fis@unaffiliated/fizzie PRIVMSG #esoteric :Right, I didn't think of the "text" ones. But DD/MM and DD/MM/YYYY (and maybe DD/MM/YY) are common "numeric" ones. < 1613643940 739352 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :Windows and its built-in programs like Explorer are made well enough, less affected by fashionable trends of replacing apps every year, so File Explorer says "2020-08-29 17:14" for a file modification time < 1613643983 391649 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :Outlook is somewhere in between, it shows "2021-02-05" sometimes, but also "Fri 02-12" for more recent mails. < 1613643998 486848 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :and "Sun 19:22" for even more recent ones. > 1613644102 612938 PRIVMSG #esoteric :14[[07User:AGuy14]]4 N10 02https://esolangs.org/w/index.php?oldid=80801 5* 03AGuy 5* (+257) 10Who I Am < 1613645162 539497 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :remember I told about the letter Ёё, < 1613645201 115853 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :there is a monument in its honor: https://ru.wikipedia.org/wiki/%D0%9F%D0%B0%D0%BC%D1%8F%D1%82%D0%BD%D0%B8%D0%BA_%D0%B1%D1%83%D0%BA%D0%B2%D0%B5_%C2%AB%D1%91%C2%BB < 1613645299 311369 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :oh there is also a monument to this one https://ru.wikipedia.org/wiki/%D0%9F%D0%B0%D0%BC%D1%8F%D1%82%D0%BD%D0%B8%D0%BA_%D0%B1%D1%83%D0%BA%D0%B2%D0%B5_%D3%A7 < 1613645323 681470 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :it's from a sub-Russia republic alphabet https://ru.wikipedia.org/wiki/%D0%9F%D0%B8%D1%81%D1%8C%D0%BC%D0%B5%D0%BD%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BA%D0%BE%D0%BC%D0%B8 < 1613645345 825603 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :(above link in English https://en.wikipedia.org/wiki/Komi_alphabets) < 1613645418 154023 :ais523!~ais523@unaffiliated/ais523 QUIT :Ping timeout: 272 seconds < 1613646448 685975 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :nakilon: I wanted to say that I find a monument to a letter strange, but then I realized that we in Budapest have a statue of the numeral zero in the city https://commons.wikimedia.org/wiki/Category:Zero_Kilometre_Stone_(Budapest) < 1613647204 847244 :fizzie!fis@unaffiliated/fizzie PRIVMSG #esoteric :I don't think anyone's put up a monument for the letters ä, ö or å in Finland. Though I guess it wouldn't surprise me hugely if there was a big Å somewhere on Åland Islands. < 1613649029 67957 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :wib_jonas that monument looks like I wlll not say what < 1613649307 976811 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :It's a numeral 0\, not a numeral 1 < 1613649921 631454 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :fungot, why does this script work only if I give a type to this function parameter, not if I leave the type undeclared? that shouldn't matter in VBA, except sometimes for giving an error message if the wrong type is passed. < 1613649921 713933 :fungot!~fungot@unaffiliated/fizzie/bot/fungot PRIVMSG #esoteric :wib_jonas: don't people say that there's only one person you can have a low moral fibre. you can only have poor ethical training, t-rex < 1613649969 799564 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 PRIVMSG #esoteric :and what the heck happens when I don't declare the type and I get a silent error that halfway pretends to work but doesn't actually < 1613650280 378083 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :t-rex, you only have poor ethical training < 1613650776 849620 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :"ë"=="ё" < 1613650777 10419 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :=> false < 1613650805 881233 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :they look different in my terminal font and the same in IRC < 1613650855 413453 :nakilon!~nakilon@62.241.154.104.bc.googleusercontent.com PRIVMSG #esoteric :ACTION thought sanitizing 800'000 news websites article titles would be easy < 1613652721 375361 :arseniiv!~arseniiv@136.169.205.6 JOIN :#esoteric < 1613652871 30934 :fizzie!fis@unaffiliated/fizzie PRIVMSG #esoteric :I tried to write a macro in LibreOffice Basic once, and found it approximately as painful as VBA. < 1613652923 325682 :fizzie!fis@unaffiliated/fizzie PRIVMSG #esoteric :(I think it lets you write in Python too, though.) < 1613654425 126013 :LKoen!~LKoen@136.169.9.109.rev.sfr.net QUIT :Remote host closed the connection < 1613655775 878309 :LKoen!~LKoen@136.169.9.109.rev.sfr.net JOIN :#esoteric < 1613656215 309028 :LKoen!~LKoen@136.169.9.109.rev.sfr.net QUIT :Quit: “It’s only logical. First you learn to talk, then you learn to think. Too bad it’s not the other way round.” < 1613657165 418977 :Sgeo!~Sgeo@ool-18b98aa4.dyn.optonline.net JOIN :#esoteric < 1613657348 847739 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Remote host closed the connection < 1613657491 381187 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric < 1613657679 95819 :Arcorann_!~awych@159-196-65-46.9fc441.mel.nbn.aussiebb.net QUIT :Ping timeout: 256 seconds < 1613658077 232389 :hendursa1!~weechat@gateway/tor-sasl/hendursaga QUIT :Quit: hendursa1 < 1613658099 874616 :hendursaga!~weechat@gateway/tor-sasl/hendursaga JOIN :#esoteric < 1613658218 205038 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Remote host closed the connection < 1613658376 378583 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric < 1613661549 833059 :LKoen!~LKoen@136.169.9.109.rev.sfr.net JOIN :#esoteric < 1613665545 332897 :ArthurStrong!~ArthurStr@178-133-129-102.mobile.vf-ua.net QUIT :Ping timeout: 240 seconds < 1613665783 221349 :wib_jonas!25bf3cd1@gateway/web/cgi-irc/kiwiirc.com/ip.37.191.60.209 QUIT :Quit: Connection closed < 1613666409 799201 :spruit11!~unknown@86-82-44-193.fixed.kpn.net QUIT :Read error: No route to host < 1613666455 721413 :spruit11!~unknown@86-82-44-193.fixed.kpn.net JOIN :#esoteric < 1613671849 13235 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :#esoteric, I have basic dumb questions about how modern web security works. there are two types of attacks where a website can try to abuse that the user has cookies to another website in the same browser. the first type is when the user tries to submit a form on https://anime.example , but the form target is actually https://bank.example/send which sends money to the owner of anime.example , and if the < 1613671855 21047 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :user happens to be logged into https://bank.example with the cookie, then this will use the user's bank account. there's an old method to protect against this first type: the bank.example's actual form has an unpredictable token in a hidden input field that the server checks on submit, anime.example can't forge that token in their own form. but you can't use that to fix all attacks of the second kind, < 1613671861 37192 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :which is when https://anime.example has a button-sized iframe that loads https://bank.example and scrolls it to where hopefully the send button will appear, and pretends that that button is the review anime episode button so the user clicks on it. I believe there's some modern web magic involving HTTP headers that lets you protect against the second type of attack, and possibly also against the first < 1613671867 38593 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :type. what exactly is this and where can I read the details, especially from the perspective of what I have to do if I'm writing the HTTP server software at https://bank.example ? < 1613671876 489613 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :all of this can be complicated with client-side scripts, but both basic attacks are possible without scripting. < 1613671906 176071 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :after I understand this, I'll also want to figure out how the heck xmlhttprequest and websocket works, including the same security things. < 1613672391 215481 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Remote host closed the connection < 1613674081 110767 :ArthurStrong!~ArthurStr@178-133-129-102.mobile.vf-ua.net JOIN :#esoteric < 1613674190 176503 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric < 1613674746 222746 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :also my new corrective glasses (same as the old one basically) are ready, I'll probably pick it up tomorrow < 1613675051 948303 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Remote host closed the connection < 1613675707 195870 :pikhq!sid394595@gateway/web/irccloud.com/x-kibzupzhkkvzdppb QUIT :Remote host closed the connection < 1613675770 818464 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :b_jonas: I think that is managed through https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy < 1613675810 570961 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :specifically https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors < 1613675821 858016 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :there's also an older, simpler mechanism https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options < 1613675877 447295 :dnm!sid401311@gateway/web/irccloud.com/x-qfqrbyavdfoqnreb QUIT :Ping timeout: 264 seconds < 1613675928 825383 :dnm!sid401311@gateway/web/irccloud.com/x-wqqjmtwmxpiyoquj JOIN :#esoteric < 1613676246 758076 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :I think there is a better way that could be done, but as far as I know is not implemented. This involves user settings that can apply to iframes, restricting the CSS that can apply to iframes (except for printed documents), allowing the user to detach iframes, having the option to always display the URL of iframes, and allowing separate sessions for iframes. < 1613676362 41561 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :(A similar thing is possible with forms, too; if the origin is different, it can avoid sending cookies, or warn the user first. The user may also wish to examine the form before sending it even if the origin is the same; this is usually already possible (using the web developer tools), although scripts in the document can mess this up.) < 1613676381 687942 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :kmc: thanks. isn't there something that controls when the cookies are sent? < 1613676669 928101 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :kmc: I don't understand this Content-Security-Policy. isn't this about a different type of attack, where the page wants to protect against user-submitted content that the server does not properly validat and so the HTML contains scripts that execute in the displaying page's context? < 1613676678 794542 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :that is important, but isn't the kind of attack I'm asking about < 1613676687 852456 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :but maybe I just don't understand what Content-Security-Policy does < 1613676743 617366 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric < 1613676769 599938 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :hmm, maybe Content-Security-Policy concerns both, but frame-ancestor and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#navigation_directives are about the attacks I'm asking about < 1613677142 605845 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :yeah it may encompass mitigations against XSS too < 1613677165 565349 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :but that's mostly handled on the server side, with proper escaping/validation of user-supplied content < 1613677194 171692 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :as i understand it frame-ancestor lets the server tell the browser not to load the page it's currently serving up as an iframe of another site < 1613677205 991711 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :which prevents clickjacking attacks like you described < 1613677732 453057 :tromp!~tromp@dhcp-077-249-230-040.chello.nl QUIT :Remote host closed the connection < 1613677796 641117 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :kmc: so what are you supposed to use against the first type of attack? a token in a hidden input in basically every POST form? < 1613677812 830303 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :or Referer magic? < 1613677833 982392 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :I think the tokens are still used on big sites, so they might still be good practice < 1613677860 148482 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :but I expect there's something more to this than the iframe thing and the tokens, related directly to cookies < 1613678012 304076 :pikhq!sid394595@gateway/web/irccloud.com/x-zlulmghkaikjpekc JOIN :#esoteric < 1613678122 608563 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :I mean you could tell your browser to block all cross-domain iframes and POSTs < 1613678127 633659 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :but it would also break a lot of legit use cases < 1613678135 521737 :scoofy_!~scoofy@catv-89-135-21-225.catv.broadband.hu JOIN :#esoteric < 1613678137 344079 :scoofy!~scoofy@catv-89-135-21-225.catv.broadband.hu PART :#esoteric < 1613678142 79219 :TheLie!~TheLie@business-24-134-17-157.pool2.vodafone-ip.de JOIN :#esoteric < 1613678155 221347 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :there is a subtle line between allowing different sites to interact and share content versus allowing malicious behavior < 1613678206 59454 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and then there are other use cases like advertising and tracking where the user might want to prevent collaboration between multiple sites that *do* want to collaborate < 1613678216 168339 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and of course something like Content-Security-Policy does not address that < 1613678237 95712 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :I think that the CSRF token in forms is still a best practice, yes < 1613678277 698663 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :for example Django enables it by default < 1613678347 144469 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :all you have to do is put {% csrf_token %} somewhere inside your
tag in the HTML template < 1613678403 874930 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and the CsrfViewMiddleware (which I believe is enabled by default) takes care of populating that tag with a hidden containing a random value < 1613678415 107707 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and also validating it on submit < 1613678443 139746 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :b_jonas: did you read _The Tangled Web_ by Michal Zalewski < 1613678457 304906 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :it's a pretty great tour of web security < 1613678464 706788 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and all the disastrous things that browsers do < 1613678499 864026 :scoofy_!~scoofy@catv-89-135-21-225.catv.broadband.hu NICK :scoofy < 1613678507 389539 :tromp!~tromp@dhcp-077-249-230-040.chello.nl JOIN :#esoteric < 1613678524 725601 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :This is why it should be a user setting. A better web browser must be written. < 1613678533 876333 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :something users can do (that I should probably do more) is run multiple browser sessions < 1613679019 393336 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :" and then there are other use cases like advertising and tracking where the user might want to prevent collaboration between multiple sites that *do* want to collaborate" => I still don't understand why advertising usually works like that, with iframes and scripts from separate servers. Are the advertising servers targeting their ads to visitors so much that they aren't allowed to just send the ad < 1613679025 401117 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :to the embedding site which would transcribe it into the page? Or is there a performance problem, or a maintanance one? It's certainly convenient for me because it makes it much easier to block some ads, but still. < 1613679068 6975 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :and no, I haven't read The Tangled Web. is that a full book? < 1613679072 219408 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :yes < 1613679127 790558 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and yes, it would be much slower if every rinkydink site running WordPress on a tiny shared hosting instance had to synchronously wait for DoubleClick or whomever to send them an ad, then splice it into the page and serve it to you. it would also be a lot more work for the site admin to set up versus just "paste this HTML into your site" < 1613679157 455629 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :" something users can do (that I should probably do more) is run multiple browser sessions" => certainly, and for something as important as a banking app it might even be worth, as it helps mitigate security bugs in browsers that let the webpage scripts jailbreak and access data that they aren't supposed to. I don't claim to always do that with banking website, but still. but I can't do that for < 1613679163 462367 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :all websites, and you can submit forms in malicious ways in a lot of places, not just banking. < 1613679249 537547 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :One feature I want is to be able to skip all finite animations, and to be able to load GIF and PNG animations as videos so that they can be paused, rewound, etc. < 1613679253 182411 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :" and yes, it would be much slower if every rinkydink site running WordPress on a tiny shared hosting instance had to synchronously wait for DoubleClick or whomever to send them an ad, then splice it into the page and serve it to you." => or it could track your connection with cookies and otherwise, and send an ad only the *next* time the same connection loads the page, and send a non-personalized < 1613679259 200052 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :ad the first time. < 1613679270 756178 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and i think that kind of setup would also make tracking harder. with ads in iframes, every time you get an ad from the same ad provider (or same browser origin to be more precise) they can set and use cookies < 1613679305 217058 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :tracking harder? why? the webpage can send information back to the ad server. < 1613679349 790719 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :so it's probably a combination of maintenance convenience, performance, and data protection < 1613679365 903872 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :and the winners are us blocking the ads < 1613679445 519293 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :it could but that is a lot to coordinate < 1613679464 452598 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :note that when something is described as "harder" that does not imply that it is impossible to do that thing < 1613679471 734041 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :merely that it is more difficult < 1613679494 740532 :APic!apic@apic.name PRIVMSG #esoteric :☺ < 1613679558 654863 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :Can iframes be disabled entirely (displaying only a simple hyperlink instead)? There are many other problems with iframes too, even when they are legitimate. < 1613679593 104437 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :also what if the site that's serving ads is a totally static site? in that case the iframe (or client side JS, which is also common for ads and analytics) is the only way to get dynamic, targetted ads < 1613679605 458667 :APic!apic@apic.name PRIVMSG #esoteric :zzo38: I think lynx does this ☺ < 1613679649 915942 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :sure, people do the more complicated things for (1) handling online payments, (2) third-party centralized login like OpenID, (3) third-party captchas like google's < 1613679653 585719 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :just not for ads < 1613679674 329564 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :all those require complicated code on the server < 1613679687 538056 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :that you sometimes have to upgrade as the protocols change < 1613679795 153666 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :what i'm saying is that ads that come from an iframe or clientside JS are simpler from the perspective of the site admin than ads that come baked into the main page, even if they are more complicated in terms of the steps the browser itself takes to show the ad < 1613679858 584598 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :the website wants to serve ads and get paid with a minimum of hassle; the ad network wants their network to be the easiest to set up < 1613679905 862819 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :sure < 1613679958 897637 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :and it's a whole iframe, not just an image serve from the advertiser's website hyperlinked to a redirect on the advertiser's server < 1613679996 591558 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :because the advertiser wants to do stuff more complicated than he could do on just an image load, like client-side scripts fingerprinting your browser in case you don't accept cookies from the advertiser < 1613680012 393011 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :yeah < 1613680025 565863 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :and ads themselves may have dynamic content < 1613680060 852268 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :maybe one day they'll start to put ads in the ads < 1613680084 148693 :APic!apic@apic.name PRIVMSG #esoteric :Yo Dawg! < 1613680133 350391 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :kmc: "dynamic content" like animation and sound? that still doesn't require a full iframe. < 1613680143 141274 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :it could be just a video instead of an img. < 1613680169 35930 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :no, I think it's definitely for the tracking with fingerprinting scripts < 1613680206 161753 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :there's a little dynamic content as a fig-leaf excuse for why they need all the scripts < 1613680249 710270 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :animation, sound, individual clickable links within the ad < 1613680253 586612 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :some ads are even mini playable games < 1613680275 113160 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :furthermore a single site may be able to serve image ads, video ads and interactive ads < 1613680296 592450 :kmc!~beehive@unaffiliated/kmcallister PRIVMSG #esoteric :but yes fingerprinting and tracking is surely another reason < 1613680325 643759 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :plus I think browsers might block cookies that an image load tries to set, but they might allow cookies when an iframe tries to set it < 1613680342 660397 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :because there is a valid use for setting cookies from an iframe < 1613680394 55102 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :(centralized login that sets cookies for multiple domains, like on stackexchange or wikimedia sites) < 1613681991 338812 :TheLie!~TheLie@business-24-134-17-157.pool2.vodafone-ip.de QUIT :Remote host closed the connection < 1613682048 271605 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :I'm confused. some of the internet says that the rover landed savely on Mars, but https://xkcd.com/ says nothing of that sort. is there an authoritive source that I could look at to decide the contradiction? < 1613682078 269957 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :I'm tending to believe to xkcd, it's usually accurate about these things < 1613682353 571840 :pikhq!sid394595@gateway/web/irccloud.com/x-zlulmghkaikjpekc QUIT :Remote host closed the connection < 1613682576 175395 :sprock!~sprocklem@unaffiliated/sprocklem JOIN :#esoteric < 1613682791 213220 :b_jonas!~a@catv-176-63-11-165.catv.broadband.hu PRIVMSG #esoteric :`ftoc 50 < 1613682793 208330 :HackEso!~h@unaffiliated/fizzie/bot/hackeso PRIVMSG #esoteric :50.00°F = 10.00°C < 1613683179 419290 :pikhq!sid394595@gateway/web/irccloud.com/x-pqjubonovmqjadtc JOIN :#esoteric < 1613683672 556539 :copumpkin!~copumpkin@unaffiliated/copumpkin QUIT :Remote host closed the connection < 1613683742 768439 :copumpkin!~copumpkin@unaffiliated/copumpkin JOIN :#esoteric < 1613683764 816333 :ArthurStrong!~ArthurStr@178-133-129-102.mobile.vf-ua.net QUIT :Quit: leaving < 1613683986 734142 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :CBC also says the rover landed on Mars < 1613686528 599228 :zzo38!~zzo38@host-24-207-14-22.public.eastlink.ca PRIVMSG #esoteric :I think that after I write the code to save changes to levels in the level editor in Free Hero Mesh, then it will be ready for other people to try Free Hero Mesh, although still it won't be complete by then, it is enough to try at first. < 1613688735 837935 :g35467!2fdafd51@47-218-253-81.bcstcmta04.res.dyn.suddenlink.net JOIN :#esoteric < 1613689272 360911 :g35467!2fdafd51@47-218-253-81.bcstcmta04.res.dyn.suddenlink.net QUIT :Quit: Connection closed < 1613689393 824220 :LKoen!~LKoen@136.169.9.109.rev.sfr.net QUIT :Quit: “It’s only logical. First you learn to talk, then you learn to think. Too bad it’s not the other way round.” > 1613690050 143861 PRIVMSG #esoteric :14[[07Talk:Dig14]]4 10 02https://esolangs.org/w/index.php?diff=80802&oldid=75756 5* 03Emerald 5* (+290) 10/* Second truth machine (but it won't work) */ new section