It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionThe "what did just break" thread(1649 posts) (1649 posts) 
(1649 posts) 
Pages:
1
25
50
75
100
101
102
103
104
110
This is my favourite topic
Posted May 12, 2016
avatar
avatar
rtcvb32: It just might.... Botnets and other things can run in the background using JS.

I've heard some of the government feedback sites have 800,000 lines of javascript for their code that might do something as simple as display a text file, or send them an email. What's all those lines of code doing anyways? Running unsafe/untrusted code is considered stupid, running untrusted scripting can be just as stupid as it can install malware, or grab all your username and passwords as you type them in and send them back.

I'd rather have the minimum of scripting running from sites i trust.
Security should be taken seriously. No question about that. But paranoia is an illness, not something to aspire to. People who see all scripts as bad are paranoid and wrong.

Yes, it is very possible to kill people with hammers, but this is not a reason to develop a phobia and outlaw all hammers. They are important and useful tools. Sure, if a shady guy is approaching you with a hammer at night in a dark alley in a criminal part of town, you should probably be worried. But running away from a carpenter working on a new house in your neighborhood is ... unwise. Even though there is always a chance that said carpenter is the dangerous one, that chance is very, very low.
Post edited May 12, 2016 by Alaric.us
Posted May 12, 2016
avatar
There's a huge number of sites/companies I don't trust. Google, Facebook, Twitter, Microsoft, just to name a few. So when I go to a site and see there's 10+ scripting sources three of which are google and others going to sites I have frankly no interest in, I'm glad I have NoScript. I enable scripts I trust, and refuse ones that don't.

Call me paranoid, but I like knowing what I'm running and what my computer is doing, and with more and more of the interconnected script sharing that goes on it becomes less clear where the real code is and what it's doing. I hate seeing Firefox locked using all of one CPU for seemingly no reason since there shouldn't be ANY scripts it's actively running, and yet it does.
Posted May 12, 2016
avatar
avatar
rtcvb32: There's a huge number of sites/companies I don't trust. Google, Facebook, Twitter, Microsoft, just to name a few. So when I go to a site and see there's 10+ scripting sources three of which are google and others going to sites I have frankly no interest in, I'm glad I have NoScript. I enable scripts I trust, and refuse ones that don't.

Call me paranoid, but I like knowing what I'm running and what my computer is doing, and with more and more of the interconnected script sharing that goes on it becomes less clear where the real code is and what it's doing. I hate seeing Firefox locked using all of one CPU for seemingly no reason since there shouldn't be ANY scripts it's actively running, and yet it does.
1. I am yet to hear about a case where Google or Microsoft have done something unsavory by hosting a known open-source library like JQuery, Angular, etc. If they decide to harvest your info they will do so via their own software or services you are probably using. No need to insert malicious code into something like Opbeat.

2. Why worry about scripts alone? There is SO MUCH MORE out there, which comprises a modern web site that could ostensibly be used for evil purposes. Client-side scripts are just a fraction of code that runs at any given moment. I'd worry a lot more about what happens on the company's servers, that's where most malicious deeds usually transpire.

3. Your browser hogging CPU/RAM is probably due to some bug or inefficiency. Could be the site, could be the browser itself. It's like traffic on the road. Sure it sucks, but refusing to use cars because traffic can happen, is probably an overreaction.
Post edited May 12, 2016 by Alaric.us
Posted May 12, 2016
You can try following:

Go to NoScript settings -> Advanced tab -> Trusted tab,
then enable checkbox "Cascade top document's permissions to 3rd party scripts"

Then you would trust what we embed ourselves without permitting couldfront globally.

I don't see an option to add file or file regex (only domain regex) to whitelist, unfortunately.
Posted May 12, 2016
I'd like to add something:

avatar
rtcvb32: running untrusted scripting can be just as stupid as it can install malware
- JavaScript can't install malware on your computer.
- JS running on www.gog.com can't get your login credentials on GOG.com too, because it's done on a separate domain (login.gog.com) - no JS that is running by the main page can access what's inside. Unless you are running - let's say - old Internet Explorer with some security settings disabled.
- It can't get your session cookie too, because it's "HTTP only".

What's interesting - for example Adalia Fundamentals, other userscripts, or browser addons (like NoScript :D ), potentially can get your password as you type, or your session cookie in the next update with no problem at all. ;)

Consider that popular userscript or browser addon creator is hacked, or NoScript/GreaseMonkey gets sold to evil company. Good that browser is asking for camera permiossions. ;) Security is important.
Post edited May 12, 2016 by Johny.
Posted May 12, 2016
avatar
Perhaps. I still don't trust them.

Regardless, linking your page to download an external library vs having a local fixed copy that's easy to access and known to be static is a risk. Let's assume a mirror is spoofed and a modified version of the open library with malicious code was added, cached computers might be fine for a while but hundreds of thousands of computers could be affected until the library was removed, vs a static file saved locally on a site where the entire site can't be spoofed in such a way.

Opening the page source i see a quick obvious example of this...

<script src="[url=https://d3tvtfb6518e3e.cloudfront.net/2/angular-opbeat.min.js"></script&gt]https://d3tvtfb6518e3e.cloudfront.net/2/angular-opbeat.min.js"></script&gt[/url];

avatar
Considering I have 30 something tabs open and probably a huge list of history that needs to be cleared, I'm sure it's more to that then inefficiency. Web pages broken down in it's internal format is something like 20x the original size of the page downloaded.

Still, just because traffic (or accidents) can happen is hardly the reason I'd refuse to use a car. But if there's cameras at every stop light, stop sign, and entrance to major stores that snapped a picture of my face, my license plate, I might just start jogging with a paperbag over my head.

avatar
rtcvb32: running untrusted scripting can be just as stupid as it can install malware
avatar
Johny.: - JavaScript can't install malware on your computer.
I refer back to the botnet video I posted. Malware doesn't need to necessarily have to run outside of your browser. Your files (and porn) may be safe, but privacy and passwords are more valuable, especially if people have really poor password policies.
Posted May 12, 2016
avatar
rtcvb32: But if there's cameras at every stop light, stop sign, and entrance to major stores that snapped a picture of my face, my license plate, I might just start jogging with a paperbag over my head.
Never visit London, England.
Posted May 12, 2016
avatar
rtcvb32: But if there's cameras at every stop light, stop sign, and entrance to major stores that snapped a picture of my face, my license plate, I might just start jogging with a paperbag over my head.
avatar
ssokolow: Never visit London, England.
In fact it's probably the time to flee the US. Your options include Zimbabwe, Sierra Leone, Moldova, and Afghanistan.
Posted May 12, 2016
I'll just leave this here again. For the generally applicable parts, I mean.

"Technology enthusiasts and corporate giants want us to believe that their vision of the future is not a mere wish but a foretelling. Nowhere is this more true than in projections about our data-driven future, and in the spectacular narrowing of imagination about innovation to a suite of smartphone and sensor-mediated services.

Ethics is here to insist that the future is full of open possibilities, that we are free to reject those technologies or processes that will worsen our lives, and that if we do reject them, they will fail. [...]

The message for ethicists, politicians, businesses and all of us is that we must be bold: nothing is inevitable, but everything is at stake."
Posted May 12, 2016
avatar
Johny.: - JavaScript can't install malware on your computer.
avatar
rtcvb32: I refer back to the botnet video I posted. Malware doesn't need to necessarily have to run outside of your browser. Your files (and porn) may be safe, but privacy and passwords are more valuable, especially if people have really poor password policies.
I'll watch the video later - sounds interesting. JavaScript can BE malware (somewhat restricted by the browser security), but can't install any. ;)

Stay safe!

Did someone try the NoScript settings I suggested, or have bad opinion about them? ;)
Posted May 12, 2016
avatar
Johny.: I'll watch the video later - sounds interesting. JavaScript can BE malware (somewhat restricted by the browser security), but can't install any. ;)

Stay safe!

Did someone try the NoScript settings I suggested, or have bad opinion about them? ;)
I can't log in to my account on my Android tablet since yesterday because the account button disappeared !
I tried the https://www.gog.com/account link, activate, desactivate the Javascript, clear my cookies and Temporary files, no result.
Everything works on my phone and my computer, though.
Posted May 12, 2016
Notifications seem to be working on the forum again now :)
Posted May 12, 2016
avatar
adaliabooks: Notifications seem to be working on the forum again now :)
Sure seems like it.
Posted May 12, 2016
my login button is finally back. it was missing, but the strange thing is that i don't have anything that's blocking javascript as far as i can tell. anyway glad it's working again

update:
no, it's gone again when i go to the main page and my account is blank.
Post edited May 12, 2016 by Smogg
Posted May 12, 2016
avatar
mrkgnao: Did you have it on your wishlist at some point before February 26, 2016 (when GOG changed its ID)?
If so, the old ID is probably still on your wishlist, you just can't see it and can't delete it.
avatar
eiii: Probably. :)

avatar
mrkgnao: If one of the numbers appearing is 1441029515 (the old ID) then it's on your wishlist.
avatar
eiii: It is.

avatar
mrkgnao: P.S. And for all we know, that ID might still be on sale, since it is no longer part of the GOG catalogue and cannot be seen.
avatar
eiii: Please stop that sale, GOG! :P

And perhaps remove the game from the wishlists of your users (or give me a way to do it myself).
+1 to everything! I wishlisted the damn game when it was supposed to support Linux, and never got the chance to remove it from my wishlist when they decided to ditch my OS. :(
Pages:
1
25
50
75
100
101
102
103
104
110
This is my favourite topic
Community
General discussionThe "what did just break" thread(1649 posts) (1649 posts) 
(1649 posts)