- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Billy is a Network engineer, I'm sure he can change the cache headers somewhere... like on the FIRST proxy.
Admin
There is something a bit hinky about this.
Cache / no Cache, HTTP / HTTPS there are plenty of Sites that can cope with combinations of them without issue.
Now, pageweight might be an issue, but we don't know. The content could entirely be high quality images of documents.
As for autocomplete. Browsers should not be doing this shit. Or if they did; have it a simple on /off and it is on or off and it is switched between those States with security being the main and only concern.
Admin
I hate it when sites go to great lengths to disable this sort of thing. I've already secured my client system more than they've secured their servers, why shouldn't I have my system cache things?
Admin
Yeah, I hate not having autocomplete, but it's worst when a site disables the browser's remember credentials feature.
Admin
Not as bad as disabling paste
Admin
Because there is no intelligence behind it (Browsers "autocomplete" functionality).
@Eldelshell I'm not talking about remembering passwords, but the dumb filling in of forms.
Yes it is helpful. but it is helpful because the website has spit out your 100 answer application form, because you forgot to capitalise you name. The WTF here, is the Wed Devs as alluded to in the Article. But for the wrong reasons, so to speak
Admin
I think I misread your post a bit there, sorry.
Still, the clarification holds. :)
Admin
In HTML 4 autocomplete came out too late to be included in the standard, which was a bit of a pain when you wanted HTML Compliance.
They rectified it in HTML 5. But I'm, not sure if it being applied "per input" is the way to go - could be a :wtf: waiting to happen.
Admin
Admin
How would you distinguish between the two options?
Admin
I most often see it on "confirm your email" boxes. Presumably the motivation is to stop you typoing the first time and then copypasta into the confirm box. Ignoring the fact you might be copying from somewhere else, or just not a complete idiot
Admin
I'm not sure. I do know that developer.apple.com used to disable paste in its login form for a long time, and since I use a password manager to store my passwords, I always had to disable JavaScript on the login page in order to paste in my password.
Fortunately, Apple saw the light some time in the past few years, and now paste is non-disabled there as it should be.
Admin
What's even worse is disabling copy/paste only on a Mac! AT&T Wireless's business site has some convoluted JavaScript that disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.
Now I'm getting more pissed and motivated to figure out enough GreaseMonkey to prevent loading that script...
Admin
:headdesk:
Why would they even try to do that?
Admin
Because it was in the spec?
Admin
LOL.
At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.
Cutting and pasting sorta defeats the object of the exercise. I suppose persistent practicioners of this - who are only harming themselves, will eventually get the internet equivalent of a Darwin Award.
HAAANNNNNNNNNNNNNZOOOOOOOOOOO!!!!!
Somehow clicking the reply button killed my IE Browser. Not as in crash and burn, but as in "...it became totally disconnected from the server... ...didn't have a clue as to where it was in time or space...." - All other Browser windows were fine.
Anyhoo, by the time I had sorted it out - closed down, go away, have a coffee, reopen Browser @Jaloopa had beat me to it (can you abuse a tuit?)
Admin
i'd just mark that script as adware and let my adblocker take care of it.
assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.
Admin
Because how can a PC computer run without a Windows on it? ;)
Admin
No, the only way to validate an email is to try to send an email to it. Typing it twice prevents typoes but not people getting it wrong, misreading and typing their username, using @mycompany.com despite their actual address being .co.uk, etc.
Admin
No, the only way to validate it is to send email to it with a link that the user follows and performs a login action via that page. The type-it-twice stuff is merely a prophylactic, since some people do consistent typos…
Admin
Uh, what? You send them an email, that is the only way to validate an email.
EDIT: and double :hanzo: by @Jaloopa and @dkf
Admin
@jaloopa && @dkf Ok Ok, you made your point. Perhaps I should be more presices / pedantic. Besides, the....
Dammit....
Must...resist...being...drawn....................into..........................................a.....................................Monty Pythonyesque(??) reality!
Admin
noooo..... that's not how you do it. you get them to type it in twice to reduce the chance of an @accalia, then you send them an email with an activastion link in it. that way you verify that y'know they can actually get email at the address they provide.
additionally you should have no validation on the email address other than "does it have an @ and a domain part?" any other validation should be warning level only "it looks like you might be missing part of your domain name and may be undeliverable, are you sure that
timmy.kitty@comcast
is your email address?"Admin
That's a really good idea. Thanks!
Admin
insert flame war about whether a regex can be used to validate an email address here
Admin
[quote="everydamnbody] At the end of the day, the best and only way to validate, at the point of collection, something like an email is to get the User to type it in twice. [/quote]
FTFY
Admin
it can't be.
but you can write one to validate "do i think i can deliver this possibly?"
/\b[^@]+@[^@]+\b/
would validate that it has a account+domain portionthat's all the validation i would do actually, and even then i'd just uyse it to put up a warning that the email may be undeliverable. if they choose to submit it i'll still try to deliver.
Admin
Besides, you're quoting me out of context.
You gotta read it with this:
:trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface:
Admin
not really. that's not validation, that's just a debounce method to reduce the chance of a typo giving you the wrong email address.
Admin
This. Exactly this. You would not believe the number of people who think my gmail.com address is theirs. I've had multiple Facebook accounts, a Microsoft account created and more random email from Eastern Europe than you can shake a stick at. Of course, since they created it with my email, I can claim I "lost my password" and do anything I want with their accounts.
I even had some guy in New Jersey put my email address down when he bought a car. Man was that dealer pissed with my answers to their survey. Of course, once I told him I'd asked to be removed several times, he changed his tune.
Admin
Do you have [email protected] or something?
Admin
You can't check all of the is valid with one, no. But you can hit the vast majority of what is actually used by people. It's all about the trade off of "not allowing the couple people with addresses that can't be checked" vs. "works for the vast majority of users prior to checking if is actually good (if you even do that part)", where you should fall in that spectrum totally depends on why you are collecting it and what the pool you are pulling users from is.
Admin
Take the first 6 letters of my last name. It shows here, right? (New sign-up, long-time lurker.)
It's very similar to some Polish and Czech names, I guess. Also, the MS account came from a guy in Mexico. I have no idea how I ended up with that one.
Admin
Right-click, Paste... wait, you said Mac?
Are we still allowed to make jokes about Macs and one-button mice?
Admin
:popcorn:
Personally, I'd validate letters, an @, some more letters, with a warning if there's no dot after the @. Of course, the usual counter to that is that bangpaths or some other weirdness are allowed by the standard so even that is cutting out some legitimate emails, and that's where the proper flaming starts
Admin
We still make jokes about Windows bluescreening, so why not?
Admin
If you are dealing with general population then you probably want more than a warning if there is no dot in the domain portion. It's just like ignoring case in the mailbox name, technically you can't but in practicality with the general pop you want to.
Admin
In other words, we should be blocking "Copy" instead of "Paste".
Filed under: BRB, Filing a patent
Admin
AMEN! I would also assume that if users can't store a decent password, they're more likely to use a shitty, more memorable one.
inb4 KeePass
Admin
Admin
Not a login action, please. Just a link including a nonce that pairs with a browser cookie to confirm that the email was received by the same user on the same computer as the browser that filled in the email form. Nobody should ever send an email with a clickable link to a login page; that pattern should belong only to phisherfolk.
Admin
Admin
I dug into it again, and found that the offending function is an inline in the HTML doc. So, no excising it that way.
This is awful:
unction filterNumbersHyphen(eventObj) {
Admin
Last year some woman tried to give herself my address--my first clue was when she somehow managed to get the password reset. Fortunately I had given them a phone number and done the thing where you have a list of one-time-use codes printed and I managed to get it back. Then she signed me up for some mailing list. I asked the other people to let her know she was using someone else's address, but apparently they couldn't be bothered, although they did unsubscribe me.
But she was persistent, and created Instagram and maybe one or two other accounts, so I reset the passwords and randomized them. Nothing more until Christmas, when she ordered something online. I considered cancelling the order or calling her to tell her to stop using my email address, but am too nice for that, and she hasn't done anything since.
Admin
I hope that first batch of letters includes allowing . and +.
Admin
Only you and admins can see your email address. If what you typed as your "long name" is actually your real name (for many of us, it's not), then we can infer your address from the information you gave.
Admin
And - please.
Admin
Yeah, that's what I was referring to. It shows for me, but of course, I'm logged in and can see my own info.
Admin
And _.
Admin
/s/letters/unicode codepoints