←2021-02-17 2021-02-18 2021-02-19→ ↑2021 ↑all
00:09:35 -!- spruit11 has quit (Read error: No route to host).
00:29:32 -!- spruit11 has joined.
00:55:39 -!- arseniiv has quit (Ping timeout: 256 seconds).
01:39:30 -!- spruit11 has quit (Quit: Lost terminal).
01:47:13 -!- spruit11 has joined.
02:32:50 -!- Lord_of_Life_ has joined.
02:33:25 -!- Lord_of_Life has quit (Ping timeout: 240 seconds).
02:34:13 -!- Lord_of_Life_ has changed nick to Lord_of_Life.
02:56:13 -!- paul2520_ has joined.
02:59:33 -!- HackEso has quit (Ping timeout: 240 seconds).
02:59:33 -!- paul2520 has quit (Ping timeout: 240 seconds).
02:59:34 -!- HackEso has joined.
02:59:34 -!- HackEso has quit (Changing host).
02:59:34 -!- HackEso has joined.
02:59:41 -!- int-e has quit (Ping timeout: 244 seconds).
03:01:54 -!- fungot has quit (Ping timeout: 240 seconds).
03:03:36 -!- fungot has joined.
03:05:29 -!- int-e has joined.
03:11:42 -!- clog has joined.
03:15:26 -!- ais523 has quit (Remote host closed the connection).
03:16:38 -!- ais523 has joined.
03:20:40 -!- ais523 has quit (Remote host closed the connection).
03:21:53 -!- ais523 has joined.
03:22:14 <esowiki> [[PRSCNT]] https://esolangs.org/w/index.php?diff=80796&oldid=80657 * Hakerh400 * (+2769) Add interpreter, add INP instruction for input, explain computational class, revert old examples
03:24:56 -!- HackEso has quit (Ping timeout: 240 seconds).
03:25:35 -!- HackEso has joined.
03:43:48 -!- ais523 has quit (Remote host closed the connection).
03:45:02 -!- ais523 has joined.
03:51:44 -!- tromp has quit (Read error: Connection reset by peer).
03:52:17 -!- tromp has joined.
05:27:02 <esowiki> [[PRSCNT]] M https://esolangs.org/w/index.php?diff=80797&oldid=80796 * Hakerh400 * (+1) /* Computational class */
05:28:22 -!- craigo has joined.
06:30:07 -!- delta23 has quit (Quit: Leaving).
07:14:49 <zzo38> I had designed a computer video processor before (never implemented), with its own instruction set, and during each scanline you can set the addresses for the planes and index data independently, even overlapping if you want to.
07:15:47 <zzo38> Although not the intention, I later realized that one effect that can be generated with this without too much difficulty is drop shadows. At first I thought only vertical drop shadows, but later I realized how to do drop shadows in any direction (other than purely horizontally), by skewing the picture.
07:16:01 <zzo38> Other effects that were not the intention are probably also possible.
07:16:19 <zzo38> (As well as some that probably were the intention at first.)
07:18:20 -!- imode has joined.
07:32:53 <zzo38> Stealth Thrower {?} Creature - ? (1/1) ;; {T}: ~ deals 3 damage to target creature or planeswalker. Flip a coin; if heads, shuffle ~ and all permanents attached to it into their owner's library.
07:38:17 -!- imode has quit (Quit: WeeChat 3.0).
07:39:13 -!- LKoen has joined.
08:12:52 -!- Sgeo has quit (Read error: Connection reset by peer).
08:31:00 -!- ArthurStrong has joined.
08:33:51 -!- sprock has quit (Ping timeout: 246 seconds).
08:51:21 -!- ArthurStrong has quit (Ping timeout: 246 seconds).
09:07:28 -!- LKoen has quit (Read error: Connection reset by peer).
09:08:04 -!- LKoen has joined.
09:09:49 -!- hendursa1 has joined.
09:10:41 -!- hendursaga has quit (Ping timeout: 268 seconds).
09:28:44 <esowiki> [[Special:Log/newusers]] create * AGuy * New user account
09:38:53 <esowiki> [[Esolang:Introduce yourself]] https://esolangs.org/w/index.php?diff=80798&oldid=80775 * AGuy * (+78) /* Introductions */
09:41:48 <esowiki> [[Esolang:Introduce yourself]] https://esolangs.org/w/index.php?diff=80799&oldid=80798 * AGuy * (+8) /* Introductions */
09:43:06 <esowiki> [[Esolang:Introduce yourself]] https://esolangs.org/w/index.php?diff=80800&oldid=80799 * AGuy * (+30) /* Introductions */
09:44:45 -!- tromp has quit (Remote host closed the connection).
09:49:04 -!- tromp has joined.
09:51:02 <wib_jonas> ah yes, the internet is so great. if the latest fashionable app that job wants us to use, and there's a problem with it, I can use a web search to find other people complaining about the same problem.
09:55:43 -!- ArthurStrong has joined.
10:13:23 <wib_jonas> for reference, the Microsoft Teams non-browser version does not care about Windows's locale when displaying datetimes. It has its own locale settings, but you can't set date formats, only pick a full locale that includes messages. A partial workaround is to select United Kingdom as its locale, which at least displays times like "14:00" instead of
10:13:23 <wib_jonas> "2:00 PM" or "2:00 p.m.", but still uses a weird format for dates.
10:19:07 <fizzie> Are the UK dates DD/MM/YYYY? That's what I mostly see here, which I'm reasonably okay with given that it's in the "right" order, but OTOH using slashes makes it look one of those bad US dates.
10:21:21 <wib_jonas> fizzie: it displays "Thursday, 18 February 2021 @ 14:00" as long datetime, and apparently "Yesterday" and "12/02 09:52" for abbreviated datetime, and even "12 Feb 2021 09:52" as a tooltip for that.
10:21:43 <wib_jonas> I haven't seen "DD/MM/YYYY" yet, but perhaps I'll find it elsewhere. there are many tabs and plugins.
10:22:19 <wib_jonas> ah yes, there's a "15/06/2020 21:51" too
10:24:20 <fizzie> Right, I didn't think of the "text" ones. But DD/MM and DD/MM/YYYY (and maybe DD/MM/YY) are common "numeric" ones.
10:25:40 <wib_jonas> Windows and its built-in programs like Explorer are made well enough, less affected by fashionable trends of replacing apps every year, so File Explorer says "2020-08-29 17:14" for a file modification time
10:26:23 <wib_jonas> Outlook is somewhere in between, it shows "2021-02-05" sometimes, but also "Fri 02-12" for more recent mails.
10:26:38 <wib_jonas> and "Sun 19:22" for even more recent ones.
10:28:22 <esowiki> [[User:AGuy]] N https://esolangs.org/w/index.php?oldid=80801 * AGuy * (+257) Who I Am
10:46:02 <nakilon> remember I told about the letter Ёё,
10:46:41 <nakilon> there is a monument in its honor: https://ru.wikipedia.org/wiki/%D0%9F%D0%B0%D0%BC%D1%8F%D1%82%D0%BD%D0%B8%D0%BA_%D0%B1%D1%83%D0%BA%D0%B2%D0%B5_%C2%AB%D1%91%C2%BB
10:48:19 <nakilon> oh there is also a monument to this one https://ru.wikipedia.org/wiki/%D0%9F%D0%B0%D0%BC%D1%8F%D1%82%D0%BD%D0%B8%D0%BA_%D0%B1%D1%83%D0%BA%D0%B2%D0%B5_%D3%A7
10:48:43 <nakilon> it's from a sub-Russia republic alphabet https://ru.wikipedia.org/wiki/%D0%9F%D0%B8%D1%81%D1%8C%D0%BC%D0%B5%D0%BD%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BA%D0%BE%D0%BC%D0%B8
10:49:05 <nakilon> (above link in English https://en.wikipedia.org/wiki/Komi_alphabets)
10:50:18 -!- ais523 has quit (Ping timeout: 272 seconds).
11:07:28 <wib_jonas> nakilon: I wanted to say that I find a monument to a letter strange, but then I realized that we in Budapest have a statue of the numeral zero in the city https://commons.wikimedia.org/wiki/Category:Zero_Kilometre_Stone_(Budapest)
11:20:04 <fizzie> I don't think anyone's put up a monument for the letters ä, ö or å in Finland. Though I guess it wouldn't surprise me hugely if there was a big Å somewhere on Åland Islands.
11:50:29 <nakilon> wib_jonas that monument looks like I wlll not say what
11:55:07 <wib_jonas> It's a numeral 0\, not a numeral 1
12:05:21 <wib_jonas> fungot, why does this script work only if I give a type to this function parameter, not if I leave the type undeclared? that shouldn't matter in VBA, except sometimes for giving an error message if the wrong type is passed.
12:05:21 <fungot> wib_jonas: don't people say that there's only one person you can have a low moral fibre. you can only have poor ethical training, t-rex
12:06:09 <wib_jonas> and what the heck happens when I don't declare the type and I get a silent error that halfway pretends to work but doesn't actually
12:11:20 <nakilon> t-rex, you only have poor ethical training
12:19:36 <nakilon> "ë"=="ё"
12:19:37 <nakilon> => false
12:20:05 <nakilon> they look different in my terminal font and the same in IRC
12:20:55 * nakilon thought sanitizing 800'000 news websites article titles would be easy
12:52:01 -!- arseniiv has joined.
12:54:31 <fizzie> I tried to write a macro in LibreOffice Basic once, and found it approximately as painful as VBA.
12:55:23 <fizzie> (I think it lets you write in Python too, though.)
13:20:25 -!- LKoen has quit (Remote host closed the connection).
13:42:55 -!- LKoen has joined.
13:50:15 -!- LKoen has quit (Quit: “It’s only logical. First you learn to talk, then you learn to think. Too bad it’s not the other way round.”).
14:06:05 -!- Sgeo has joined.
14:09:08 -!- tromp has quit (Remote host closed the connection).
14:11:31 -!- tromp has joined.
14:14:39 -!- Arcorann_ has quit (Ping timeout: 256 seconds).
14:21:17 -!- hendursa1 has quit (Quit: hendursa1).
14:21:39 -!- hendursaga has joined.
14:23:38 -!- tromp has quit (Remote host closed the connection).
14:26:16 -!- tromp has joined.
15:19:09 -!- LKoen has joined.
16:25:45 -!- ArthurStrong has quit (Ping timeout: 240 seconds).
16:29:43 -!- wib_jonas has quit (Quit: Connection closed).
16:40:09 -!- spruit11 has quit (Read error: No route to host).
16:40:55 -!- spruit11 has joined.
18:10:49 <b_jonas> #esoteric, I have basic dumb questions about how modern web security works. there are two types of attacks where a website can try to abuse that the user has cookies to another website in the same browser. the first type is when the user tries to submit a form on https://anime.example , but the form target is actually https://bank.example/send which sends money to the owner of anime.example , and if the
18:10:55 <b_jonas> user happens to be logged into https://bank.example with the cookie, then this will use the user's bank account. there's an old method to protect against this first type: the bank.example's actual form has an unpredictable token in a hidden input field that the server checks on submit, anime.example can't forge that token in their own form. but you can't use that to fix all attacks of the second kind,
18:11:01 <b_jonas> which is when https://anime.example has a button-sized iframe that loads https://bank.example and scrolls it to where hopefully the send button will appear, and pretends that that button is the review anime episode button so the user clicks on it. I believe there's some modern web magic involving HTTP headers that lets you protect against the second type of attack, and possibly also against the first
18:11:07 <b_jonas> type. what exactly is this and where can I read the details, especially from the perspective of what I have to do if I'm writing the HTTP server software at https://bank.example ?
18:11:16 <b_jonas> all of this can be complicated with client-side scripts, but both basic attacks are possible without scripting.
18:11:46 <b_jonas> after I understand this, I'll also want to figure out how the heck xmlhttprequest and websocket works, including the same security things.
18:19:51 -!- tromp has quit (Remote host closed the connection).
18:48:01 -!- ArthurStrong has joined.
18:49:50 -!- tromp has joined.
18:59:06 <b_jonas> also my new corrective glasses (same as the old one basically) are ready, I'll probably pick it up tomorrow
19:04:11 -!- tromp has quit (Remote host closed the connection).
19:15:07 -!- pikhq has quit (Remote host closed the connection).
19:16:10 <kmc> b_jonas: I think that is managed through https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
19:16:50 <kmc> specifically https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
19:17:01 <kmc> there's also an older, simpler mechanism https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
19:17:57 -!- dnm has quit (Ping timeout: 264 seconds).
19:18:48 -!- dnm has joined.
19:24:06 <zzo38> I think there is a better way that could be done, but as far as I know is not implemented. This involves user settings that can apply to iframes, restricting the CSS that can apply to iframes (except for printed documents), allowing the user to detach iframes, having the option to always display the URL of iframes, and allowing separate sessions for iframes.
19:26:02 <zzo38> (A similar thing is possible with forms, too; if the origin is different, it can avoid sending cookies, or warn the user first. The user may also wish to examine the form before sending it even if the origin is the same; this is usually already possible (using the web developer tools), although scripts in the document can mess this up.)
19:26:21 <b_jonas> kmc: thanks. isn't there something that controls when the cookies are sent?
19:31:09 <b_jonas> kmc: I don't understand this Content-Security-Policy. isn't this about a different type of attack, where the page wants to protect against user-submitted content that the server does not properly validat and so the HTML contains scripts that execute in the displaying page's context?
19:31:18 <b_jonas> that is important, but isn't the kind of attack I'm asking about
19:31:27 <b_jonas> but maybe I just don't understand what Content-Security-Policy does
19:32:23 -!- tromp has joined.
19:32:49 <b_jonas> hmm, maybe Content-Security-Policy concerns both, but frame-ancestor and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#navigation_directives are about the attacks I'm asking about
19:39:02 <kmc> yeah it may encompass mitigations against XSS too
19:39:25 <kmc> but that's mostly handled on the server side, with proper escaping/validation of user-supplied content
19:39:54 <kmc> as i understand it frame-ancestor lets the server tell the browser not to load the page it's currently serving up as an iframe of another site
19:40:05 <kmc> which prevents clickjacking attacks like you described
19:48:52 -!- tromp has quit (Remote host closed the connection).
19:49:56 <b_jonas> kmc: so what are you supposed to use against the first type of attack? a token in a hidden input in basically every POST form?
19:50:12 <b_jonas> or Referer magic?
19:50:33 <b_jonas> I think the tokens are still used on big sites, so they might still be good practice
19:51:00 <b_jonas> but I expect there's something more to this than the iframe thing and the tokens, related directly to cookies
19:53:32 -!- pikhq has joined.
19:55:22 <kmc> I mean you could tell your browser to block all cross-domain iframes and POSTs
19:55:27 <kmc> but it would also break a lot of legit use cases
19:55:35 -!- scoofy_ has joined.
19:55:37 -!- scoofy has left.
19:55:42 -!- TheLie has joined.
19:55:55 <kmc> there is a subtle line between allowing different sites to interact and share content versus allowing malicious behavior
19:56:46 <kmc> and then there are other use cases like advertising and tracking where the user might want to prevent collaboration between multiple sites that *do* want to collaborate
19:56:56 <kmc> and of course something like Content-Security-Policy does not address that
19:57:17 <kmc> I think that the CSRF token in forms is still a best practice, yes
19:57:57 <kmc> for example Django enables it by default
19:59:07 <kmc> all you have to do is put {% csrf_token %} somewhere inside your <form> tag in the HTML template
20:00:03 <kmc> and the CsrfViewMiddleware (which I believe is enabled by default) takes care of populating that tag with a hidden <input> containing a random value
20:00:15 <kmc> and also validating it on submit
20:00:43 <kmc> b_jonas: did you read _The Tangled Web_ by Michal Zalewski
20:00:57 <kmc> it's a pretty great tour of web security
20:01:04 <kmc> and all the disastrous things that browsers do
20:01:39 -!- scoofy_ has changed nick to scoofy.
20:01:47 -!- tromp has joined.
20:02:04 <zzo38> This is why it should be a user setting. A better web browser must be written.
20:02:13 <kmc> something users can do (that I should probably do more) is run multiple browser sessions
20:10:19 <b_jonas> "<kmc> and then there are other use cases like advertising and tracking where the user might want to prevent collaboration between multiple sites that *do* want to collaborate" => I still don't understand why advertising usually works like that, with iframes and scripts from separate servers. Are the advertising servers targeting their ads to visitors so much that they aren't allowed to just send the ad
20:10:25 <b_jonas> to the embedding site which would transcribe it into the page? Or is there a performance problem, or a maintanance one? It's certainly convenient for me because it makes it much easier to block some ads, but still.
20:11:08 <b_jonas> and no, I haven't read The Tangled Web. is that a full book?
20:11:12 <kmc> yes
20:12:07 <kmc> and yes, it would be much slower if every rinkydink site running WordPress on a tiny shared hosting instance had to synchronously wait for DoubleClick or whomever to send them an ad, then splice it into the page and serve it to you. it would also be a lot more work for the site admin to set up versus just "paste this HTML into your site"
20:12:37 <b_jonas> "<kmc> something users can do (that I should probably do more) is run multiple browser sessions" => certainly, and for something as important as a banking app it might even be worth, as it helps mitigate security bugs in browsers that let the webpage scripts jailbreak and access data that they aren't supposed to. I don't claim to always do that with banking website, but still. but I can't do that for
20:12:43 <b_jonas> all websites, and you can submit forms in malicious ways in a lot of places, not just banking.
20:14:09 <zzo38> One feature I want is to be able to skip all finite animations, and to be able to load GIF and PNG animations as videos so that they can be paused, rewound, etc.
20:14:13 <b_jonas> "<kmc> and yes, it would be much slower if every rinkydink site running WordPress on a tiny shared hosting instance had to synchronously wait for DoubleClick or whomever to send them an ad, then splice it into the page and serve it to you." => or it could track your connection with cookies and otherwise, and send an ad only the *next* time the same connection loads the page, and send a non-personalized
20:14:19 <b_jonas> ad the first time.
20:14:30 <kmc> and i think that kind of setup would also make tracking harder. with ads in iframes, every time you get an ad from the same ad provider (or same browser origin to be more precise) they can set and use cookies
20:15:05 <b_jonas> tracking harder? why? the webpage can send information back to the ad server.
20:15:49 <b_jonas> so it's probably a combination of maintenance convenience, performance, and data protection
20:16:05 <b_jonas> and the winners are us blocking the ads
20:17:25 <kmc> it could but that is a lot to coordinate
20:17:44 <kmc> note that when something is described as "harder" that does not imply that it is impossible to do that thing
20:17:51 <kmc> merely that it is more difficult
20:18:14 <APic>
20:19:18 <zzo38> Can iframes be disabled entirely (displaying only a simple hyperlink instead)? There are many other problems with iframes too, even when they are legitimate.
20:19:53 <kmc> also what if the site that's serving ads is a totally static site? in that case the iframe (or client side JS, which is also common for ads and analytics) is the only way to get dynamic, targetted ads
20:20:05 <APic> zzo38: I think lynx does this ☺
20:20:49 <b_jonas> sure, people do the more complicated things for (1) handling online payments, (2) third-party centralized login like OpenID, (3) third-party captchas like google's
20:20:53 <b_jonas> just not for ads
20:21:14 <b_jonas> all those require complicated code on the server
20:21:27 <b_jonas> that you sometimes have to upgrade as the protocols change
20:23:15 <kmc> what i'm saying is that ads that come from an iframe or clientside JS are simpler from the perspective of the site admin than ads that come baked into the main page, even if they are more complicated in terms of the steps the browser itself takes to show the ad
20:24:18 <kmc> the website wants to serve ads and get paid with a minimum of hassle; the ad network wants their network to be the easiest to set up
20:25:05 <b_jonas> sure
20:25:58 <b_jonas> and it's a whole iframe, not just an image serve from the advertiser's website hyperlinked to a redirect on the advertiser's server
20:26:36 <b_jonas> because the advertiser wants to do stuff more complicated than he could do on just an image load, like client-side scripts fingerprinting your browser in case you don't accept cookies from the advertiser
20:26:52 <kmc> yeah
20:27:05 <kmc> and ads themselves may have dynamic content
20:27:40 <kmc> maybe one day they'll start to put ads in the ads
20:28:04 <APic> Yo Dawg!
20:28:53 <b_jonas> kmc: "dynamic content" like animation and sound? that still doesn't require a full iframe.
20:29:03 <b_jonas> it could be just a video instead of an img.
20:29:29 <b_jonas> no, I think it's definitely for the tracking with fingerprinting scripts
20:30:06 <b_jonas> there's a little dynamic content as a fig-leaf excuse for why they need all the scripts
20:30:49 <kmc> animation, sound, individual clickable links within the ad
20:30:53 <kmc> some ads are even mini playable games
20:31:15 <kmc> furthermore a single site may be able to serve image ads, video ads and interactive ads
20:31:36 <kmc> but yes fingerprinting and tracking is surely another reason
20:32:05 <b_jonas> plus I think browsers might block cookies that an image load tries to set, but they might allow cookies when an iframe tries to set it
20:32:22 <b_jonas> because there is a valid use for setting cookies from an iframe
20:33:14 <b_jonas> (centralized login that sets cookies for multiple domains, like on stackexchange or wikimedia sites)
20:59:51 -!- TheLie has quit (Remote host closed the connection).
21:00:48 <b_jonas> I'm confused. some of the internet says that the rover landed savely on Mars, but https://xkcd.com/ says nothing of that sort. is there an authoritive source that I could look at to decide the contradiction?
21:01:18 <b_jonas> I'm tending to believe to xkcd, it's usually accurate about these things
21:05:53 -!- pikhq has quit (Remote host closed the connection).
21:09:36 -!- sprock has joined.
21:13:11 <b_jonas> `ftoc 50
21:13:13 <HackEso> 50.00°F = 10.00°C
21:19:39 -!- pikhq has joined.
21:27:52 -!- copumpkin has quit (Remote host closed the connection).
21:29:02 -!- copumpkin has joined.
21:29:24 -!- ArthurStrong has quit (Quit: leaving).
21:33:06 <zzo38> CBC also says the rover landed on Mars
22:15:28 <zzo38> I think that after I write the code to save changes to levels in the level editor in Free Hero Mesh, then it will be ready for other people to try Free Hero Mesh, although still it won't be complete by then, it is enough to try at first.
22:52:15 -!- g35467 has joined.
23:01:12 -!- g35467 has quit (Quit: Connection closed).
23:03:13 -!- LKoen has quit (Quit: “It’s only logical. First you learn to talk, then you learn to think. Too bad it’s not the other way round.”).
23:14:10 <esowiki> [[Talk:Dig]] https://esolangs.org/w/index.php?diff=80802&oldid=75756 * Emerald * (+290) /* Second truth machine (but it won't work) */ new section
←2021-02-17 2021-02-18 2021-02-19→ ↑2021 ↑all