Harlem shake javascript…

Support requests, bug reports, etc. go here. Dedicated servers / VDS hosting only
User avatar
kierun
Bear Rating Trainee
Bear Rating Trainee
Posts: 27
Joined: 16 Feb 2016, 11:43

Harlem shake javascript…

Postby kierun » 11 Aug 2016, 11:51

I tried the Harlem Shake javascript on my local install of tt-rss (commit d39a2f8005ba69f2940c8e3b547fbb18dc23bef0 and PHP 5.5.9-1ubuntu4.19 (cli) (built: Jul 28 2016 19:31:33)). Some elements (not a lot) did start shaking. Is this something that should be fixed?

Some more information about it all…

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Harlem shake javascript…

Postby fox » 11 Aug 2016, 12:05

wake me up if you manage to sneak this in through an rss feed

owning yourself through your own browser console is really not a particularly great accomplishment

User avatar
kierun
Bear Rating Trainee
Bear Rating Trainee
Posts: 27
Joined: 16 Feb 2016, 11:43

Re: Harlem shake javascript…

Postby kierun » 11 Aug 2016, 12:23

fox wrote:owning yourself through your own browser console is really not a particularly great accomplishment


Well, indeed. Which is why I am not sure it's such a bad thing™…

User avatar
fox
^ me reading your posts ^
Posts: 6318
Joined: 27 Aug 2005, 22:53
Location: Saint-Petersburg, Russia
Contact:

Re: Harlem shake javascript…

Postby fox » 11 Aug 2016, 12:37

i guess i'll elaborate on the subject of CSP in tt-rss because this isn't the first time this has been requested.

1. i'm not going to change the way i'm coding things so 'unsafe-inline' is going to be required

(btw i like how the attributes are prefixed unsafe- as to force the authors' mentality on everyone, it nicely shows how people involved in this standard are a bunch of condescending spergs using tumblr'esque debate tactics)

2. unsafe-eval seems to be required by Dojo which i have no control over. i don't think CSP allows to relax limits for specific scopes within origin URL.

3. tt-rss strips loading of external stylesheets and any other imaginable potentially harmful crap from RSS feeds so adding bandaid headers would have limited, iif any, effect.

of course, if won't hurt if something somehow slips through the cracks, but that would likely involve a compromised plugin or something else on your server which is a situation where you are completely fucked already anyway.

so, to resume, while i can commit something like the following code-block, other than making a bunch of sperglords feel a bit safer, it is unlikely to have any effect on tt-rss security.

Code: Select all

header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'");


should i? idk


Return to “Support”

Who is online

Users browsing this forum: No registered users and 7 guests