Cross-site scripting at information providers

Topic

New Reply

These observations may seem a little off-topic, but the core is about how to maintain browser security, when information providers use other (cross-site) providers, with no online acknowledgment that they are doing so. As an example, the online.wsj.com website seems to be changing some of the other providers that they use. When IE8 is locked down according to decent security practices, the result may be that some features of online.wsj silently fail to work. Under FF w/ NoScript, one can more easily detect what WSJ has gotten up to, and take corrective action.

From a different angle, when features stop working, it is sometimes not clear whether the action was intended by the information provider, or accidental. This morning, online.wsj.com started blocking new comments from one subscriber. Even the most innocuous sentences seemed to be blocked as “Does not meet Community Standards”. Whatever the issue was, it cleared up after an hour or so. How is a user to know whether they have violated some standard, or run afoul of the shifting (quick)sands of technology?

Reply | Quote

Replies

These observations may seem a little off-topic, but the core is about how to maintain browser security, when information providers use other (cross-site) providers, with no online acknowledgment that they are doing so. As an example, the online.wsj.com website seems to be changing some of the other providers that they use. When IE8 is locked down according to decent security practices, the result may be that some features of online.wsj silently fail to work. Under FF w/ NoScript, one can more easily detect what WSJ has gotten up to, and take corrective action.

From a different angle, when features stop working, it is sometimes not clear whether the action was intended by the information provider, or accidental. This morning, online.wsj.com started blocking new comments from one subscriber. Even the most innocuous sentences seemed to be blocked as “Does not meet Community Standards”. Whatever the issue was, it cleared up after an hour or so. How is a user to know whether they have violated some standard, or run afoul of the shifting (quick)sands of technology?

If you are running NoScript, any site which doesn’t like the add-on will probably flash you a message saying so, or redirect you to a “oops!” page. The message will say that you need to enable Javascript to continue. If the problem is server-side, try back in an hour or two, or at most a day or two. Most rules violations result in an e-mail notice within a day or two. If you are running Firefox with NoScript, you are doing things the right way, IMHO. But WSJ does not like NoScript, as it can be used to block ads, and Rupert Murdoch (owner of WSJ) really hates it when users block his ads.

And the issue of user safety vs. web site usability is definitely not off-topic here in The Lounge! Several of us are struggling with sites which are taking countermeasures against users of AdBlock Plus and NoScript. Unfortunately, there are no clear-cut answers here. Sites need to make money, and they make money by displaying ads. But hackers send out malicious ads and scripts, so it is not safe to always let ads display. Something needs to be done to resolve this issue — but what?

-- rc primak

Reply | Quote

What makes this even more complex is when there is legitimate cross-site scripting on a site. This is becoming more common as companies merge and various sites align themselves with other sites that compliment one another. One example of this is my health insurance company recently merged their prescription company with another. All traffic related to prescriptions now goes to the new company, while pulling over your authentication from the insurance company’s web site. Yes, I can add exceptions to No-Script, when its something obvious like this. But I’ve run into quite a few situations where its not obvious. What to block and not to block…

Reply | Quote