• (disco)

    Billy is a Network engineer, I'm sure he can change the cache headers somewhere... like on the FIRST proxy.

  • (disco)

    There is something a bit hinky about this.

    Cache / no Cache, HTTP / HTTPS there are plenty of Sites that can cope with combinations of them without issue.

    Now, pageweight might be an issue, but we don't know. The content could entirely be high quality images of documents.

    As for autocomplete. Browsers should not be doing this shit. Or if they did; have it a simple on /off and it is on or off and it is switched between those States with security being the main and only concern.

  • (disco) in reply to loose
    loose:
    As for autocomplete. Browsers should not be doing this shit.

    I hate it when sites go to great lengths to disable this sort of thing. I've already secured my client system more than they've secured their servers, why shouldn't I have my system cache things?

  • (disco) in reply to dkf

    Yeah, I hate not having autocomplete, but it's worst when a site disables the browser's remember credentials feature.

  • (disco) in reply to Eldelshell

    Not as bad as disabling paste

  • (disco) in reply to dkf

    Because there is no intelligence behind it (Browsers "autocomplete" functionality).

    @Eldelshell I'm not talking about remembering passwords, but the dumb filling in of forms.

    Yes it is helpful. but it is helpful because the website has spit out your 100 answer application form, because you forgot to capitalise you name. The WTF here, is the Wed Devs as alluded to in the Article. But for the wrong reasons, so to speak

  • (disco) in reply to loose
    loose:
    @Eldelshell I'm not talking about remembering passwords, but the dumb filling in of forms.

    I think I misread your post a bit there, sorry.

    Still, the clarification holds. :)

  • (disco)

    In HTML 4 autocomplete came out too late to be included in the standard, which was a bit of a pain when you wanted HTML Compliance.

    They rectified it in HTML 5. But I'm, not sure if it being applied "per input" is the way to go - could be a :wtf: waiting to happen.

  • (disco) in reply to Jaloopa
    Jaloopa:
    Not as bad as disabling paste
    I have not even been able to figure out why some sites do this. Is it sheer stupidity, or is there a reason?
  • (disco) in reply to tharpa
    tharpa:
    Is it sheer stupidity, or is there a reason?

    How would you distinguish between the two options?

  • (disco) in reply to tharpa
    tharpa:
    is there a reason?

    I most often see it on "confirm your email" boxes. Presumably the motivation is to stop you typoing the first time and then copypasta into the confirm box. Ignoring the fact you might be copying from somewhere else, or just not a complete idiot

  • (disco) in reply to tharpa
    tharpa:
    I have not even been able to figure out why some sites do this. Is it sheer stupidity, or is there a reason?

    I'm not sure. I do know that developer.apple.com used to disable paste in its login form for a long time, and since I use a password manager to store my passwords, I always had to disable JavaScript on the login page in order to paste in my password.

    Fortunately, Apple saw the light some time in the past few years, and now paste is non-disabled there as it should be.

  • (disco) in reply to Jaloopa
    Jaloopa:
    Not as bad as disabling paste

    What's even worse is disabling copy/paste only on a Mac! AT&T Wireless's business site has some convoluted JavaScript that disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.

    Now I'm getting more pissed and motivated to figure out enough GreaseMonkey to prevent loading that script...

  • (disco) in reply to EmptyJayy
    EmptyJayy:
    disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.

    :headdesk:

    Why would they even try to do that?

  • (disco) in reply to Jaloopa
    Jaloopa:

    :headdesk:

    Why would they even try to do that?

    Because it was in the spec?

  • (disco) in reply to tharpa

    LOL.

    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    Cutting and pasting sorta defeats the object of the exercise. I suppose persistent practicioners of this - who are only harming themselves, will eventually get the internet equivalent of a Darwin Award.

    HAAANNNNNNNNNNNNNZOOOOOOOOOOO!!!!!

    Somehow clicking the reply button killed my IE Browser. Not as in crash and burn, but as in "...it became totally disconnected from the server... ...didn't have a clue as to where it was in time or space...." - All other Browser windows were fine.

    Anyhoo, by the time I had sorted it out - closed down, go away, have a coffee, reopen Browser @Jaloopa had beat me to it (can you abuse a tuit?)

  • (disco) in reply to EmptyJayy
    EmptyJayy:
    Now I'm getting more pissed and motivated to figure out enough GreaseMonkey to prevent loading that script...

    i'd just mark that script as adware and let my adblocker take care of it.

    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

  • (disco) in reply to Jaloopa
    Jaloopa:
    EmptyJayy:
    disables any Meta key combination EXCEPT Ctrl-C, Ctrl-V, Ctrl-X. This is fine for Windows, but Macs use ⌘-C, ⌘-V and ⌘-X.

    :headdesk:

    Why would they even try to do that?

    Because how can a PC computer run without a Windows on it? ;)

  • (disco) in reply to loose
    loose:
    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    No, the only way to validate an email is to try to send an email to it. Typing it twice prevents typoes but not people getting it wrong, misreading and typing their username, using @mycompany.com despite their actual address being .co.uk, etc.

  • (disco) in reply to loose
    loose:
    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    No, the only way to validate it is to send email to it with a link that the user follows and performs a login action via that page. The type-it-twice stuff is merely a prophylactic, since some people do consistent typos…

  • (disco) in reply to loose
    loose:
    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    Uh, what? You send them an email, that is the only way to validate an email.

    EDIT: and double :hanzo: by @Jaloopa and @dkf

  • (disco)

    @jaloopa && @dkf Ok Ok, you made your point. Perhaps I should be more presices / pedantic. Besides, the....

    Dammit....

    Must...resist...being...drawn....................into..........................................a.....................................Monty Pythonyesque(??) reality!

  • (disco) in reply to loose
    loose:
    At the end of the day, the best and only way to validate something like an email is to get the User to type it in twice.

    noooo..... that's not how you do it. you get them to type it in twice to reduce the chance of an @accalia, then you send them an email with an activastion link in it. that way you verify that y'know they can actually get email at the address they provide.

    additionally you should have no validation on the email address other than "does it have an @ and a domain part?" any other validation should be warning level only "it looks like you might be missing part of your domain name and may be undeliverable, are you sure that timmy.kitty@comcast is your email address?"

  • (disco) in reply to accalia
    accalia:

    i'd just mark that script as adware and let my adblocker take care of it.

    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

    That's a really good idea. Thanks!

  • (disco) in reply to accalia

    insert flame war about whether a regex can be used to validate an email address here

  • (disco) in reply to accalia

    [quote="everydamnbody] At the end of the day, the best and only way to validate, at the point of collection, something like an email is to get the User to type it in twice. [/quote]

    FTFY

  • (disco) in reply to Jaloopa
    Jaloopa:
    insert flame war about whether a regex can be used to validate an email address here

    it can't be.

    but you can write one to validate "do i think i can deliver this possibly?"

    /\b[^@]+@[^@]+\b/ would validate that it has a account+domain portion

    that's all the validation i would do actually, and even then i'd just uyse it to put up a warning that the email may be undeliverable. if they choose to submit it i'll still try to deliver.

  • (disco) in reply to loose

    Besides, you're quoting me out of context.

    You gotta read it with this:

    loose:
    Cutting and pasting sorta defeats the object of the exercise. I suppose persistent practicioners of this - who are only harming themselves, will eventually get the internet equivalent of a Darwin Award.

    :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface: :trollface:

  • (disco) in reply to loose
    loose:
    FTFY

    not really. that's not validation, that's just a debounce method to reduce the chance of a typo giving you the wrong email address.

  • (disco) in reply to Jaloopa
    Jaloopa:

    No, the only way to validate an email is to try to send an email to it. Typing it twice prevents typoes but not people getting it wrong, misreading and typing their username, using @mycompany.com despite their actual address being .co.uk, etc.

    This. Exactly this. You would not believe the number of people who think my gmail.com address is theirs. I've had multiple Facebook accounts, a Microsoft account created and more random email from Eastern Europe than you can shake a stick at. Of course, since they created it with my email, I can claim I "lost my password" and do anything I want with their accounts.

    I even had some guy in New Jersey put my email address down when he bought a car. Man was that dealer pissed with my answers to their survey. Of course, once I told him I'd asked to be removed several times, he changed his tune.

  • (disco) in reply to EmptyJayy

    Do you have john.doe@gmail.com or something?

  • (disco) in reply to accalia
    accalia:
    it can't be.

    You can't check all of the is valid with one, no. But you can hit the vast majority of what is actually used by people. It's all about the trade off of "not allowing the couple people with addresses that can't be checked" vs. "works for the vast majority of users prior to checking if is actually good (if you even do that part)", where you should fall in that spectrum totally depends on why you are collecting it and what the pool you are pulling users from is.

  • (disco) in reply to Jaloopa
    Jaloopa:
    Do you have john.doe@gmail.com or something?

    Take the first 6 letters of my last name. It shows here, right? (New sign-up, long-time lurker.)

    It's very similar to some Polish and Czech names, I guess. Also, the MS account came from a guy in Mexico. I have no idea how I ended up with that one.

  • (disco) in reply to EmptyJayy

    Right-click, Paste... wait, you said Mac?

    Are we still allowed to make jokes about Macs and one-button mice?

  • (disco) in reply to locallunatic

    :popcorn:

    Personally, I'd validate letters, an @, some more letters, with a warning if there's no dot after the @. Of course, the usual counter to that is that bangpaths or some other weirdness are allowed by the standard so even that is cutting out some legitimate emails, and that's where the proper flaming starts

  • (disco) in reply to anotherusername
    anotherusername:
    Are we still allowed to make jokes about Macs and one-button mice?

    We still make jokes about Windows bluescreening, so why not?

  • (disco) in reply to Jaloopa
    Jaloopa:
    Personally, I'd validate letters, an @, some more letters, with a warning if there's no dot after the @.

    If you are dealing with general population then you probably want more than a warning if there is no dot in the domain portion. It's just like ignoring case in the mailbox name, technically you can't but in practicality with the general pop you want to.

  • (disco) in reply to Jaloopa
    Jaloopa:
    tharpa:
    is there a reason?

    I most often see it on "confirm your email" boxes. Presumably the motivation is to stop you typoing the first time and then copypasta into the confirm box. Ignoring the fact you might be copying from somewhere else, or just not a complete idiot

    In other words, we should be blocking "Copy" instead of "Paste".


    Filed under: BRB, Filing a patent

  • (disco) in reply to dkf
    dkf:
    I hate it when sites go to great lengths to disable this sort of thing. I've already secured my client system more than they've secured their servers, why shouldn't I have my system cache things?

    AMEN! I would also assume that if users can't store a decent password, they're more likely to use a shitty, more memorable one.

    inb4 KeePass

  • (disco) in reply to dkf
    dkf:
    tharpa:
    Is it sheer stupidity, or is there a reason?

    How would you distinguish between the two options?

    You would have to hear the reason.
  • (disco) in reply to dkf
    dkf:
    send email to it with a link that the user follows and performs a login action via that page

    Not a login action, please. Just a link including a nonce that pairs with a browser cookie to confirm that the email was received by the same user on the same computer as the browser that filled in the email form. Nobody should ever send an email with a clickable link to a login page; that pattern should belong only to phisherfolk.

  • (disco) in reply to RaceProUK
    RaceProUK:
    Because how can a PC computer run without a Windows on it? ;)
    Only option would be a Linux-hardware PC :wink:
  • (disco) in reply to EmptyJayy
    EmptyJayy:
    accalia:

    i'd just mark that script as adware and let my adblocker take care of it.

    assuming of course that it's not burried in a script bundle that has tons of actually useful functionality in it.

    That's a really good idea. Thanks!

    I dug into it again, and found that the offending function is an inline in the HTML doc. So, no excising it that way.

    This is awful:

    unction filterNumbersHyphen(eventObj) {

    var key = null;
    var keyCodeExceptions = new Array(8, 46, 16, 9, 17, 20, 19, 13, 35, 36, 37, 39, 127);
    
    
    	if(window.event) {
    		key = window.event.keyCode;
    		//enable basic keyboard operations
    		for ( var i=0; i<keyCodeExceptions.length; i++ )
    		if ( keyCodeExceptions[i] == key ) return true;
    		//enable copy/paste
    		if ( (key==67 && window.event.ctrlKey) || (key==86 && window.event.ctrlKey) )
    		return true;
    		//the number filter, accepts only digits 0..9,'-' and '.' no shifted special chars
    		return ( key != null && !window.event.shiftKey && (key > 47 && key < 58) || (key > 95 && key < 106)|| (key==189)|| (key==190) );
    		//note: window.event.cancelBubble is done by returning true or false
    	} else {
    		key = eventObj.which;
    		
    		//enable basic keyboard operations
    		for ( var i=0; i<keyCodeExceptions.length; i++ )
    		if ( keyCodeExceptions[i] == key ) return true;
    		//enable copy/paste
    		if ( (key==67 && eventObj.ctrlKey) || (key==86 && eventObj.ctrlKey) )
    		return true;
    		//the number filter, accepts only digits 0..9,'-' and '.' no shifted special chars
    		return ( key != null && !eventObj.shiftKey && (key > 47 && key < 58) || (key > 95 && key < 106)|| (key==173) ||(key==189)|| (key==190)|| (key==109));
    	}
    
    }
    
  • (disco) in reply to EmptyJayy
    EmptyJayy:
    You would not believe the number of people who think my gmail.com address is theirs.

    Last year some woman tried to give herself my address--my first clue was when she somehow managed to get the password reset. Fortunately I had given them a phone number and done the thing where you have a list of one-time-use codes printed and I managed to get it back. Then she signed me up for some mailing list. I asked the other people to let her know she was using someone else's address, but apparently they couldn't be bothered, although they did unsubscribe me.

    But she was persistent, and created Instagram and maybe one or two other accounts, so I reset the passwords and randomized them. Nothing more until Christmas, when she ordered something online. I considered cancelling the order or calling her to tell her to stop using my email address, but am too nice for that, and she hasn't done anything since.

  • (disco) in reply to Jaloopa
    Jaloopa:
    Personally, I'd validate letters, an @

    I hope that first batch of letters includes allowing . and +.

  • (disco) in reply to EmptyJayy
    EmptyJayy:
    It shows here, right?

    Only you and admins can see your email address. If what you typed as your "long name" is actually your real name (for many of us, it's not), then we can infer your address from the information you gave.

  • (disco) in reply to FrostCat
    FrostCat:
    Jaloopa:
    Personally, I'd validate letters, an @

    I hope that first batch of letters includes allowing . and +.

    And - please.

  • (disco) in reply to HardwareGeek
    HardwareGeek:
    EmptyJayy:
    It shows here, right?

    Only you and admins can see your email address. If what you typed as your "long name" is actually your real name (for many of us, it's not), then we can infer your address from the information you gave.

    Yeah, that's what I was referring to. It shows for me, but of course, I'm logged in and can see my own info.

  • (disco) in reply to HardwareGeek

    And _.

  • (disco) in reply to HardwareGeek

    /s/letters/unicode codepoints

Leave a comment on “Paying Cache for Insurance”

Log In or post as a guest

Replying to comment #:

« Return to Article