• Eldelshell (disco)

    Billy is a Network engineer, I'm sure he can change the cache headers somewhere... like on the FIRST proxy.

  • loose (disco)

    There is something a bit hinky about this.

    Cache / no Cache, HTTP / HTTPS there are plenty of Sites that can cope with combinations of them without issue.

    Now, pageweight might be an issue, but we don't know. The content could entirely be high quality images of documents.

    As for autocomplete. Browsers should not be doing this shit. Or if they did; have it a simple on /off and it is on or off and it is switched between those States with security being the main and only concern.

  • dkf (disco) in reply to loose
    loose:
    As for autocomplete. Browsers should not be doing this shit.

    I hate it when sites go to great lengths to disable this sort of thing. I've already secured my client system more than they've secured their servers, why shouldn't I have my system cache things?

  • Eldelshell (disco) in reply to dkf

    Yeah, I hate not having autocomplete, but it's worst when a site disables the browser's remember credentials feature.

  • Jaloopa (disco) in reply to Eldelshell

    Not as bad as disabling paste

  • loose (disco) in reply to dkf
    Comment held for moderation.
  • loose (disco) in reply to loose
    Comment held for moderation.
  • loose (disco)

    In HTML 4 autocomplete came out too late to be included in the standard, which was a bit of a pain when you wanted HTML Compliance.

    They rectified it in HTML 5. But I'm, not sure if it being applied "per input" is the way to go - could be a :wtf: waiting to happen.

  • tharpa (disco) in reply to Jaloopa
    Jaloopa:
    Not as bad as disabling paste
    I have not even been able to figure out why some sites do this. Is it sheer stupidity, or is there a reason?
  • dkf (disco) in reply to tharpa
    tharpa:
    Is it sheer stupidity, or is there a reason?

    How would you distinguish between the two options?

  • Jaloopa (disco) in reply to tharpa
    tharpa:
    is there a reason?

    I most often see it on "confirm your email" boxes. Presumably the motivation is to stop you typoing the first time and then copypasta into the confirm box. Ignoring the fact you might be copying from somewhere else, or just not a complete idiot

  • Protoman (disco) in reply to tharpa
    tharpa:
    I have not even been able to figure out why some sites do this. Is it sheer stupidity, or is there a reason?

    I'm not sure. I do know that developer.apple.com used to disable paste in its login form for a long time, and since I use a password manager to store my passwords, I always had to disable JavaScript on the login page in order to paste in my password.

    Fortunately, Apple saw the light some time in the past few years, and now paste is non-disabled there as it should be.

  • EmptyJayy (disco) in reply to Jaloopa
    Jaloopa:
    Not as bad as disabling paste

    What's even worse is disabling copy/paste only on a Mac! AT&T Wireless's business site has some convoluted JavaScript that disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.

    Now I'm getting more pissed and motivated to figure out enough GreaseMonkey to prevent loading that script...

  • Jaloopa (disco) in reply to EmptyJayy
    EmptyJayy:
    disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.

    :headdesk:

    Why would they even try to do that?

  • EmptyJayy (disco) in reply to Jaloopa
    Jaloopa:

    :headdesk:

    Why would they even try to do that?

    Because it was in the spec?

  • loose (disco) in reply to tharpa
    Comment held for moderation.
  • accalia (disco) in reply to EmptyJayy
    EmptyJayy:
    Now I'm getting more pissed and motivated to figure out enough GreaseMonkey to prevent loading that script...

    i'd just mark that script as adware and let my adblocker take care of it.

    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

  • RaceProUK (disco) in reply to Jaloopa
    Jaloopa:
    EmptyJayy:
    disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.

    :headdesk:

    Why would they even try to do that?

    Because how can a PC computer run without a Windows on it? ;)

  • Jaloopa (disco) in reply to loose
    Comment held for moderation.
  • dkf (disco) in reply to loose
    loose:
    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    No, the only way to validate it is to send email to it with a link that the user follows and performs a login action via that page. The type-it-twice stuff is merely a prophylactic, since some people do consistent typos…

  • locallunatic (disco) in reply to loose
    Comment held for moderation.
  • loose (disco)
    Comment held for moderation.
  • accalia (disco) in reply to loose
    Comment held for moderation.
  • EmptyJayy (disco) in reply to accalia
    accalia:

    i'd just mark that script as adware and let my adblocker take care of it.

    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

    That's a really good idea. Thanks!

  • Jaloopa (disco) in reply to accalia

    insert flame war about whether a regex can be used to validate an email address here

  • loose (disco) in reply to accalia

    [quote="everydamnbody] At the end of the day, the best and only way to validate, at the point of collection, something like an email is to get the User to type it in twice. [/quote]

    FTFY

  • accalia (disco) in reply to Jaloopa
    Comment held for moderation.
  • loose (disco) in reply to loose

    Besides, you're quoting me out of context.

    You gotta read it with this:

    loose:
    Cutting and pasting sorta defeats the object of the exercise. I suppose persistent practicioners of this - who are only harming themselves, will eventually get the internet equivalent of a Darwin Award.

    :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface:

  • accalia (disco) in reply to loose
    loose:
    FTFY

    not really. that's not validation, that's just a debounce method to reduce the chance of a typo giving you the wrong email address.

  • EmptyJayy (disco) in reply to Jaloopa
    Comment held for moderation.
  • Jaloopa (disco) in reply to EmptyJayy
    Comment held for moderation.
  • locallunatic (disco) in reply to accalia
    accalia:
    it can't be.

    You can't check all of the is valid with one, no. But you can hit the vast majority of what is actually used by people. It's all about the trade off of "not allowing the couple people with addresses that can't be checked" vs. "works for the vast majority of users prior to checking if is actually good (if you even do that part)", where you should fall in that spectrum totally depends on why you are collecting it and what the pool you are pulling users from is.

  • EmptyJayy (disco) in reply to Jaloopa
    Comment held for moderation.
  • anotherusername (disco) in reply to EmptyJayy

    Right-click, Paste... wait, you said Mac?

    Are we still allowed to make jokes about Macs and one-button mice?

  • Jaloopa (disco) in reply to locallunatic
    Comment held for moderation.
  • Jaloopa (disco) in reply to anotherusername
    anotherusername:
    Are we still allowed to make jokes about Macs and one-button mice?

    We still make jokes about Windows bluescreening, so why not?

  • locallunatic (disco) in reply to Jaloopa
    Comment held for moderation.
  • JBert (disco) in reply to Jaloopa
    Comment held for moderation.
  • Dogsworth (disco) in reply to dkf
    dkf:
    I hate it when sites go to great lengths to disable this sort of thing. I've already secured my client system more than they've secured their servers, why shouldn't I have my system cache things?

    AMEN! I would also assume that if users can't store a decent password, they're more likely to use a shitty, more memorable one.

    inb4 KeePass

  • tharpa (disco) in reply to dkf
    dkf:
    tharpa:
    Is it sheer stupidity, or is there a reason?

    How would you distinguish between the two options?

    You would have to hear the reason.
  • flabdablet (disco) in reply to dkf
    dkf:
    send email to it with a link that the user follows and performs a login action via that page

    Not a login action, please. Just a link including a nonce that pairs with a browser cookie to confirm that the email was received by the same user on the same computer as the browser that filled in the email form. Nobody should ever send an email with a clickable link to a login page; that pattern should belong only to phisherfolk.

  • TimeBandit (disco) in reply to RaceProUK
    RaceProUK:
    Because how can a PC computer run without a Windows on it? ;)
    Only option would be a Linux-hardware PC :wink:
  • EmptyJayy (disco) in reply to EmptyJayy
    EmptyJayy:
    accalia:

    i'd just mark that script as adware and let my adblocker take care of it.

    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

    That's a really good idea. Thanks!

    I dug into it again, and found that the offending function is an inline in the HTML doc. So, no excising it that way.

    This is awful:

    unction filterNumbersHyphen(eventObj) {

    var key = null;
    var keyCodeExceptions = new Array(8, 46, 16, 9, 17, 20, 19, 13, 35, 36, 37, 39, 127);
    
    
    	if(window.event) {
    		key = window.event.keyCode;
    		//enable basic keyboard operations
    		for ( var i=0; i<keyCodeExceptions.length; i++ )
    		if ( keyCodeExceptions[i] == key ) return true;
    		//enable copy/paste
    		if ( (key==67 && window.event.ctrlKey) || (key==86 && window.event.ctrlKey) )
    		return true;
    		//the number filter, accepts only digits 0..9,'-' and '.' no shifted special chars
    		return ( key != null && !window.event.shiftKey && (key > 47 && key < 58) || (key > 95 && key < 106)|| (key==189)|| (key==190) );
    		//note: window.event.cancelBubble is done by returning true or false
    	} else {
    		key = eventObj.which;
    		
    		//enable basic keyboard operations
    		for ( var i=0; i<keyCodeExceptions.length; i++ )
    		if ( keyCodeExceptions[i] == key ) return true;
    		//enable copy/paste
    		if ( (key==67 && eventObj.ctrlKey) || (key==86 && eventObj.ctrlKey) )
    		return true;
    		//the number filter, accepts only digits 0..9,'-' and '.' no shifted special chars
    		return ( key != null && !eventObj.shiftKey && (key > 47 && key < 58) || (key > 95 && key < 106)|| (key==173) ||(key==189)|| (key==190)|| (key==109));
    	}
    
    }
    
  • FrostCat (disco) in reply to EmptyJayy
    EmptyJayy:
    You would not believe the number of people who think my gmail.com address is theirs.

    Last year some woman tried to give herself my address--my first clue was when she somehow managed to get the password reset. Fortunately I had given them a phone number and done the thing where you have a list of one-time-use codes printed and I managed to get it back. Then she signed me up for some mailing list. I asked the other people to let her know she was using someone else's address, but apparently they couldn't be bothered, although they did unsubscribe me.

    But she was persistent, and created Instagram and maybe one or two other accounts, so I reset the passwords and randomized them. Nothing more until Christmas, when she ordered something online. I considered cancelling the order or calling her to tell her to stop using my email address, but am too nice for that, and she hasn't done anything since.

  • FrostCat (disco) in reply to Jaloopa
    Comment held for moderation.
  • HardwareGeek (disco) in reply to EmptyJayy
    EmptyJayy:
    It shows here, right?

    Only you and admins can see your email address. If what you typed as your "long name" is actually your real name (for many of us, it's not), then we can infer your address from the information you gave.

  • HardwareGeek (disco) in reply to FrostCat
    Comment held for moderation.
  • EmptyJayy (disco) in reply to HardwareGeek
    HardwareGeek:
    EmptyJayy:
    It shows here, right?

    Only you and admins can see your email address. If what you typed as your "long name" is actually your real name (for many of us, it's not), then we can infer your address from the information you gave.

    Yeah, that's what I was referring to. It shows for me, but of course, I'm logged in and can see my own info.

  • lolwhat (disco) in reply to HardwareGeek

    And _.

  • Jaloopa (disco) in reply to HardwareGeek

    /s/letters/unicode codepoints

Leave a comment on “Paying Cache for Insurance”

Log In or post as a guest

Replying to comment #:

« Return to Article