The prompt:
-- is not a "modal" and doesn't scoll as I move down the page
-- is black-n-white (easily missed)
-- does not disappear when I click the Confirm button
Wondering what this is and why I haven't previously seen it,
I visited the "Notification" preferences pane and found, yes, "enable notifications" is tickmarked.
First, I unticked "Notify on Mixed Content" thinking that may be the trigger. Nope.
Even after unticking the topmost "Enable Notifications" and reloading the page
the "Allow browser notification? [confirm]" overlay persists.
I'm stumped.
Last edit: sandax 2014-08-01
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Also need to pin down whether it's occurring due to the various preferences I changed from their default settings. To test, I renamed config.ini ...but, upon restarting CD in the absence of the config file, instead of restored default values across all preferences, all values are (apparently) null or 0 or false. I suggest you bundle a duplicate "config.ini_orig" file and have the app fallback to reading from that if config.ini is not present.
Now I've retested after extracting a pristine copy of config.ini from the distribution zipfile.
here's a screencap of what I'm seeing: http://imgur.com/P85kiOs
Maybe didn't notice it previously, but that confirmation is displayed even for the homepage of that site (didn't notice it earlier until I reached the "tags" page on that site).
ps:
among my intended tests (reason for using CD to browse the jsdo.it site) I wanted to gauge the webkit performance in rendering js/canvas, css animations, and WebGL. Results are not 100% satisfactory and...
If possible / doable, additional tickbox prefs, under the general tab, for:
-- disable html canvas rendering
-- disable WebGL
-- disable css animations (um, idunno the term. I mean css3 scripting, in general)
Last edit: sandax 2014-08-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok. That prompt is not mine. I have not coded anything like that
into CD.
I think it's HTML5 notification thing?
I played with General tab settings and checked the following:
- Local Storage
- Offline Storage Database
- Offline Web Application Cache
And now I get that prompt too.
But now I can't turn it off! unchecking any of those previous three settings won't help and neither clearing cache or even starting from completely fresh CD copy.
Do you have any clue where HTML5 stuff might be stored in windows?
Im not sure what you mean by canvas rendering, do you mean HTML5 Canvas thing ?
If so then I have already asked if there is a way to prevent Canvas fingerprinting by either completely disabling canvas or just it's text rendering api. https://bugreports.qt-project.org/browse/QTBUG-40382
Luckily, that addthis.com rule in tracker blocker will block majority of canvas fingerprinting attempts.
As for WebGL, it's currently disabled (or at least should be) and if I remember correctly there is a runtime switch in QtWebKit for enabling/disabling it.
Update: Damn! I have totally forgotted to set HTML5 local storage path .......
Update 2: Tested with firefox, tested with IE and chrome. None of those show that prompt. Im totally dumped now. All I know that that prompt needs JavaScript (disabling JavaScript and reloading makes it go away)
Update 3: Ok, found the script that does that prompt:
Adding
jsdo\.it/js/notification\.js
to tracker blocker rules will make that prompt go away.
However, this still does not explain why other browsers like chrome and IE don't show that prompt
Last edit: Stefan Fröberg 2014-08-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Really, the appearance of the prompt, if it's a "bug" the appearance is trivial. What is troublesome (for me) is that the server is "seeing past" user-agent string and treating pages served to CD differently (different from same pages served to my ff browser, or qupzilla, etc.).
Do you have any clue where HTML5 stuff might be stored in windows?
So you're suspecting the prompt is the result of that (non-malicious) site attempting to write to html LocalStorage? Server has detected that the CD useragent appears to be LocalStorage -capable, but is oh-so-politely asking for permission do so, vs blindly trying at the risk of running into CD settings (or webkit defaults) which might prevent LocalStorage access?
Where is "html5 stuff" stored? AFAIK, in a sqlite db file... but I expect the pathed dbfile location differs across ff versions, across webkit flavors, across platforms.
===================
WebGL:
Unless building with WebGL bloats the distribution, I would recommend shipping it (and just include a pref which sets it disabled, by default). Today, this month, not many sites are "broken" by the absence of WebGL support... but we are collectively moving (we must) in that direction. I understand that concern exists regarding "WebGL fingerprinting", and I personally would choose to leave it set disabled most of the time... but on numerous occasions lately I have already regretted NOT having it.
====================
html canvas:
not sure what you mean by canvas rendering
Yeah, sorry, that was too vague.
A canvas element might be statically declared in an html document
< canvas > < /canvas >
or it might be created via scripted DOM manipulation.
The preference, if enabled, would cause CD to either parse out, or replace any
< canvas > tags... and/or ignore any scripted attempts to create (instantiate) a html canvas object.
For those worried about canvas serving as a fingerprinting vector, avoiding canvas creation is a (the only) bulletproof solution. Elsewhere, I've read suggestions to "just overload canvas.toDataURL() to prevent misuse" but that's a naive (futile) approach. I should NOT have said "rendering"; a canvas object could be instantiated, manipulated, and fingerprinting details exfiltrated without it ever being visibly "rendered".
One of your blog posts mentioned concern toward canvas fingerprinting. Evident in the fact that I mentioned it here -- as a p.s., within a General Discussion topic -- I personally don't yet worry (much) about that vector.
=====================
css3 scripting/animations:
Idunno ~~ paint me as a cranky, old-school, prude.
"They fear what they do not yet understand".
Bullshit! The obfuscation bred by the practice of "unobtrusive" scripting (external scriptfiles) has INVITED, ENCOURAGED inclusion of embbed trackers, malware, and other non-user-beneficial bloat. (pusherjs, pusherapp, I'm lookin' at you, you ratbastards).
"We inisist, we must 'separate presentation from page structure'." and so (with that as the rationale) external stylesheets were foisted upon us. NOW, they want to place scripted LOGIC in those external stylesheets?!?
sass, and less, and a side order of jquery.noconflict...
Fukkem. Enough is ENOUGH !
Hi. Yeah, I'm ranting.
Lookit, if you can't achieve a toggle for suppressing scirpted css3, I'll fallback to spoofing user-agent string claiming to be a non-capable browser version.
Last edit: sandax 2014-08-02
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As you can see there are currently two ways to do hardware acceleration for browsers that WebGL need:
The old but slow (for Windows that is, because Microsofts incompetence/unwillingness?, on Linux OpenGL is great) OpenGL
And the newer Angle that just wraps OpenGL calls and batches them to underlying DirectX.
Currently CD uses OpenGL for acceleration.
Also for the free MinGW compiler (that I use for compiling) there currently does not seem to be any premade MinGW + ANGLE binary bundle.
So if I want to support WebGL and make sure it's not slow I have to compile Qt myself with MinGW and ANGLE support enabled.
So it will take time, it will add bload (need to ship few directx files) and I won't enable it by default (for the fear of crashing) but I will add option.Maybe not in 1.6.5 but at least in 1.6.6.
Your suggestion for parsing canvas tags is best as there is no other way to disable it from QtWebKit currently (and Im not going to touch QtWebKit, that monster is absolutely huuge mountain of code and I don't even know where to begin)
Last edit: Stefan Fröberg 2014-08-03
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
FWIW, if you put WebGL on back burner is fine by me. If only the linux build supports WebGL, not the windows version, that's fine by me also.
As a feature request, specific to WebGL, above I was just suggesting "if you plan to support WebGL, please include a preference which permits toggling it off"
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I realize that my post, above, is bit is contentious. FWIW, I do acknowledge that css animation is usually less cpu-intensive than animation achieved via js, and it is less worrisome than the proprietary Flash(TM) or other alternative mechanisms. Still, any developers wanting to shove that into my browser should be (better be) prepared to "degrade gracefully". Otherwise, we'll ultimately wind up with "Sorry. This site can only be viewed using the goodness of the latest version of Google's blink-v8erator powered browser" (or similar devisive walled-garden content restrictions).
Last edit: sandax 2014-08-05
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
prompt appears when visiting this page, for example:
http://jsdo.it/tags
The prompt:
-- is not a "modal" and doesn't scoll as I move down the page
-- is black-n-white (easily missed)
-- does not disappear when I click the Confirm button
Wondering what this is and why I haven't previously seen it,
I visited the "Notification" preferences pane and found, yes, "enable notifications" is tickmarked.
First, I unticked "Notify on Mixed Content" thinking that may be the trigger. Nope.
Even after unticking the topmost "Enable Notifications" and reloading the page
the "Allow browser notification? [confirm]" overlay persists.
I'm stumped.
Last edit: sandax 2014-08-01
It doesn't show any prompt for me:
https://www.dropbox.com/s/h5onrbnbwutizx0/Screenshot.png
Can you please give some screenshot of that ?
Also need to pin down whether it's occurring due to the various preferences I changed from their default settings. To test, I renamed config.ini ...but, upon restarting CD in the absence of the config file, instead of restored default values across all preferences, all values are (apparently) null or 0 or false. I suggest you bundle a duplicate "config.ini_orig" file and have the app fallback to reading from that if config.ini is not present.
Now I've retested after extracting a pristine copy of config.ini from the distribution zipfile.
here's a screencap of what I'm seeing: http://imgur.com/P85kiOs
Maybe didn't notice it previously, but that confirmation is displayed even for the homepage of that site (didn't notice it earlier until I reached the "tags" page on that site).
ps:
among my intended tests (reason for using CD to browse the jsdo.it site) I wanted to gauge the webkit performance in rendering js/canvas, css animations, and WebGL. Results are not 100% satisfactory and...
If possible / doable, additional tickbox prefs, under the general tab, for:
-- disable html canvas rendering
-- disable WebGL
-- disable css animations (um, idunno the term. I mean css3 scripting, in general)
Last edit: sandax 2014-08-02
Ok. That prompt is not mine. I have not coded anything like that
into CD.
I think it's HTML5 notification thing?
I played with General tab settings and checked the following:
- Local Storage
- Offline Storage Database
- Offline Web Application Cache
And now I get that prompt too.
But now I can't turn it off! unchecking any of those previous three settings won't help and neither clearing cache or even starting from completely fresh CD copy.
Do you have any clue where HTML5 stuff might be stored in windows?
Im not sure what you mean by canvas rendering, do you mean HTML5 Canvas thing ?
If so then I have already asked if there is a way to prevent Canvas fingerprinting by either completely disabling canvas or just it's text rendering api.
https://bugreports.qt-project.org/browse/QTBUG-40382
Luckily, that addthis.com rule in tracker blocker will block majority of canvas fingerprinting attempts.
As for WebGL, it's currently disabled (or at least should be) and if I remember correctly there is a runtime switch in QtWebKit for enabling/disabling it.
Update: Damn! I have totally forgotted to set HTML5 local storage path .......
Update 2: Tested with firefox, tested with IE and chrome. None of those show that prompt. Im totally dumped now. All I know that that prompt needs JavaScript (disabling JavaScript and reloading makes it go away)
Update 3: Ok, found the script that does that prompt:
Adding
jsdo\.it/js/notification\.js
to tracker blocker rules will make that prompt go away.
However, this still does not explain why other browsers like chrome and IE don't show that prompt
Last edit: Stefan Fröberg 2014-08-02
Really, the appearance of the prompt, if it's a "bug" the appearance is trivial. What is troublesome (for me) is that the server is "seeing past" user-agent string and treating pages served to CD differently (different from same pages served to my ff browser, or qupzilla, etc.).
So you're suspecting the prompt is the result of that (non-malicious) site attempting to write to html LocalStorage? Server has detected that the CD useragent appears to be LocalStorage -capable, but is oh-so-politely asking for permission do so, vs blindly trying at the risk of running into CD settings (or webkit defaults) which might prevent LocalStorage access?
Where is "html5 stuff" stored? AFAIK, in a sqlite db file... but I expect the pathed dbfile location differs across ff versions, across webkit flavors, across platforms.
===================
WebGL:
Unless building with WebGL bloats the distribution, I would recommend shipping it (and just include a pref which sets it disabled, by default). Today, this month, not many sites are "broken" by the absence of WebGL support... but we are collectively moving (we must) in that direction. I understand that concern exists regarding "WebGL fingerprinting", and I personally would choose to leave it set disabled most of the time... but on numerous occasions lately I have already regretted NOT having it.
====================
html canvas:
Yeah, sorry, that was too vague.
A canvas element might be statically declared in an html document
< canvas > < /canvas >
or it might be created via scripted DOM manipulation.
The preference, if enabled, would cause CD to either parse out, or replace any
< canvas > tags... and/or ignore any scripted attempts to create (instantiate) a html canvas object.
For those worried about canvas serving as a fingerprinting vector, avoiding canvas creation is a (the only) bulletproof solution. Elsewhere, I've read suggestions to "just overload canvas.toDataURL() to prevent misuse" but that's a naive (futile) approach. I should NOT have said "rendering"; a canvas object could be instantiated, manipulated, and fingerprinting details exfiltrated without it ever being visibly "rendered".
One of your blog posts mentioned concern toward canvas fingerprinting. Evident in the fact that I mentioned it here -- as a p.s., within a General Discussion topic -- I personally don't yet worry (much) about that vector.
=====================
css3 scripting/animations:
Idunno ~~ paint me as a cranky, old-school, prude.
"They fear what they do not yet understand".
Bullshit! The obfuscation bred by the practice of "unobtrusive" scripting (external scriptfiles) has INVITED, ENCOURAGED inclusion of embbed trackers, malware, and other non-user-beneficial bloat. (pusherjs, pusherapp, I'm lookin' at you, you ratbastards).
"We inisist, we must 'separate presentation from page structure'." and so (with that as the rationale) external stylesheets were foisted upon us. NOW, they want to place scripted LOGIC in those external stylesheets?!?
sass, and less, and a side order of jquery.noconflict...
Fukkem. Enough is ENOUGH !
Hi. Yeah, I'm ranting.
Lookit, if you can't achieve a toggle for suppressing scirpted css3, I'll fallback to spoofing user-agent string claiming to be a non-capable browser version.
Last edit: sandax 2014-08-02
Well, as for WebGL the situation is a bit muddy with Qt:
http://qt-project.org/wiki/Qt-5-on-Windows-ANGLE-and-OpenGL
As you can see there are currently two ways to do hardware acceleration for browsers that WebGL need:
The old but slow (for Windows that is, because Microsofts incompetence/unwillingness?, on Linux OpenGL is great) OpenGL
And the newer Angle that just wraps OpenGL calls and batches them to underlying DirectX.
Currently CD uses OpenGL for acceleration.
Also for the free MinGW compiler (that I use for compiling) there currently does not seem to be any premade MinGW + ANGLE binary bundle.
So if I want to support WebGL and make sure it's not slow I have to compile Qt myself with MinGW and ANGLE support enabled.
So it will take time, it will add bload (need to ship few directx files) and I won't enable it by default (for the fear of crashing) but I will add option.Maybe not in 1.6.5 but at least in 1.6.6.
Your suggestion for parsing canvas tags is best as there is no other way to disable it from QtWebKit currently (and Im not going to touch QtWebKit, that monster is absolutely huuge mountain of code and I don't even know where to begin)
Last edit: Stefan Fröberg 2014-08-03
FWIW, if you put WebGL on back burner is fine by me. If only the linux build supports WebGL, not the windows version, that's fine by me also.
As a feature request, specific to WebGL, above I was just suggesting "if you plan to support WebGL, please include a preference which permits toggling it off"
Done. PATCH_CyberDragon_1.6.4_Logger_and_other.zip adds WebGL tick.
I realize that my post, above, is bit is contentious. FWIW, I do acknowledge that css animation is usually less cpu-intensive than animation achieved via js, and it is less worrisome than the proprietary Flash(TM) or other alternative mechanisms. Still, any developers wanting to shove that into my browser should be (better be) prepared to "degrade gracefully". Otherwise, we'll ultimately wind up with "Sorry. This site can only be viewed using the goodness of the latest version of Google's blink-v8erator powered browser" (or similar devisive walled-garden content restrictions).
Last edit: sandax 2014-08-05