 |
update RANT/tips file and LICENSE - jscancer - Javascript crap (relatively smal… |
 |
git clone git://git.codemadness.org/jscancer |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit 0f8b9b4e64a50d4361b2de662d9a7c2f751fa352 |
|
parent ba2f70be3d13bb1cedb16996d667c6a221a03f3d |
|
Author: Hiltjo Posthuma <[email protected]> |
|
Date: Thu, 4 Apr 2019 19:07:18 +0200 |
|
|
|
update RANT/tips file and LICENSE |
|
|
|
Diffstat: |
|
M LICENSE | 2 +- |
|
M RANT_WEBTIPS | 33 +++++++++++++++++++++++++----… |
|
|
|
2 files changed, 28 insertions(+), 7 deletions(-) |
|
--- |
|
diff --git a/LICENSE b/LICENSE |
|
@@ -1,6 +1,6 @@ |
|
ISC License |
|
|
|
-Copyright (c) 2016-2018 Hiltjo Posthuma <[email protected]> |
|
+Copyright (c) 2016-2019 Hiltjo Posthuma <[email protected]> |
|
|
|
Permission to use, copy, modify, and/or distribute this software for any |
|
purpose with or without fee is hereby granted, provided that the above |
|
diff --git a/RANT_WEBTIPS b/RANT_WEBTIPS |
|
@@ -50,6 +50,7 @@ CSS: |
|
Javascript: |
|
- jslint: http://www.jslint.com/ |
|
- uglifyjs: http://lisperator.net/uglifyjs/ check "Scope warnings" options. |
|
+ NOTE: do not use minification! |
|
Browsers: |
|
- Test it in all common browsers (Firefox, Firefox ESR, Chrome) and some older |
|
versions. |
|
@@ -115,22 +116,28 @@ CSS: |
|
|
|
Video / audio: |
|
- Never use DRM. |
|
-- Preferably use open (container) formats such as webm, oggv. |
|
-- Show the link to the file for viewing it in an external viewer. |
|
+- Use open (container) formats such as webm, oggv. |
|
+- Show the link to the file for viewing it in a normal movie/media player. |
|
- Do not autoplay video and audio, this includes background video/audio: |
|
- extremely invasive to the user. |
|
+ extremely invasive to the user, potentially harmful to some (handicapped) |
|
+ people. |
|
|
|
|
|
Flash or other proprietary plugins: |
|
- NEVER USE THEM! |
|
|
|
- |
|
Websockets: |
|
- NEVER USE THEM! |
|
|
|
+WebGL: |
|
+- NEVER USE IT. Consider GPU kernel bugs and users exposing this to any remote |
|
+ site... scary. It also opens options for GPU compute abuse (browser bitcoin |
|
+ mining, side-channel attacks, memory attacks etc). |
|
|
|
Captchas: |
|
-- NEVER USE THEM! Consider the handicapped people. |
|
+- NEVER USE THEM! Consider the handicapped people. A sane alternative is just |
|
+ some question text "What is the color of a banana?". This solution is also |
|
+ much more accessible to poor-sighted people etc. |
|
|
|
|
|
HTTP protocol: |
|
@@ -142,7 +149,8 @@ Cookies / localStorage: |
|
- Try to reduce the amount of cookies, for static content there is no need to |
|
use them. For logins Basic HTTP authentication can be used: |
|
https://tools.ietf.org/html/rfc2617 (Section 2). |
|
-- Don't use Javascript localStorage. |
|
+- Don't use Javascript localStorage or session storage. This is a useless |
|
+ technology often abused for persistent advertising tracking. |
|
|
|
|
|
TLS (HTTPS): |
|
@@ -196,3 +204,16 @@ Use of content-delivery networks (CDNs): |
|
your site and make it untrusted for all clients. Some sites use so-called |
|
"Subresource Integrity headers", but these are just another ugly standard/ha… |
|
for the ugly web. |
|
+ |
|
+ https://torrentfreak.com/cloudflare-and-riaa-agree-on-tailored-site-blocking… |
|
+ |
|
+ |
|
+Misc scary things: |
|
+- CSS keylogging: https://github.com/maxchehab/CSS-Keylogging |
|
+- Talk "Scriptless Attacks: Stealing the Pie Without Touching the Sill". |
|
+- Javascript rowhammer attack: https://www.vusec.net/projects/glitch/ |
|
+- Researchers show Nvidia GPUs can be vulnerable to side channel attacks: |
|
+ https://www.techspot.com/news/77301-researchers-show-nvidia-gpus-can-vulnera… |
|
+- In-browser (local) port scanning and probing: |
|
+ https://defuse.ca/in-browser-port-scanning.htm |
|
+ https://github.com/joevennix/lan-js/tree/master/src |
