Hi all,
I'm thinking most users wouldn't want to bother going to the site to
create an account (and passing their credentials via a manually edited
config file).
I am thinking I will generate a key on the server end that is sent back
during the user's first 'push', and save it locally, to be used with
subsequent pushes (if key doesn't match, user cannot update the
javascript file of the same name).
Oh btw, I have a working scriptblock (similar to firefox's noscript).
I started by modifying Daniel's flasblock and ended up expanding quite a
bit a little bit of the same code got reused).
It seems to work quite nicely, by default it does the following:
Allows same domain scripts to run automatically (you can comment out
a single line in scriptblock.js if you do not wish this)
Blocks all scripts loaded from external sources until user left
clicks (to allow entire domain) or right clicks (to allow individual
script)
The :set scripts=false option is nice, but not as fluid for pinpointing
which scripts to keep around and which to discard.
At this time I chose not to add an auto reloader to the page when
scripts are allowed/denied, so you will have to press 'r' to reload
yourself.
Next up I will work on an adblocker, I use privoxy myself, but I have to
admit doing an "./ahungry_scripter.sh -a" would have been a lot easier
to set up for adblocking than setting up privoxy when I first started
with vimprobable.
Thanks,
-Matt
On Mon, Oct 15, 2012 at 08:52:21PM +0200, Hannes Schüller wrote:
> "Matthew Carter" <je...@gm...> wrote:
> > Right now script updates are locked down by IP address, so at this
> > point no one can update the three scripts I put on unless they spoof
> > my ip.
>
> I'm sure you are aware that the source address in IP is just a text
> field, so that is not really an authentication.
>
> > I realize this may lock some out of their own scripts if ip changes,
>
> Also, most people use dynamic IP addresses anyway.
>
> Anyway, I don't think any of this is really a problem right now,
> because I doubt that the Vimprobable user base, which would probably
> notice quickly enough, is really a worthwhile attack target. I just
> want to make sure that everybody is aware of the potential risks.
>
> Looking forward to see how this develops!
>
> Hannes
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Vimprobable-users mailing list
> Vim...@li...
> https://lists.sourceforge.net/lists/listinfo/vimprobable-users
--
Matthew Carter
je...@gm...
|