It takes as much energy to wish as it does to plan. — Eleanor Roosevelt
Don't read that headline and get worried. I don't think CSS is a particularly dangerous security concern and, for the most part, I don't think you need to worry about it.
But every once in a while, articles tend to circulate and get some attention as to the possibilities of what CSS can do that might surprise or worry you.
Here's a little roundup.… Read article
This is super interesting stuff from Mozilla: the most recent update of Firefox will now block cryptominers and third-party tracking scripts by default.… Read article
Dave Rupert digs into some of his favorite Vue features and one particular issue that he has with React:
… Read articleI’ve come to realize one thing I don’t particularly like about React is jumping into a file, reading the top for the state, jumping to the bottom to find the render function, then following the method calls up to a series other sub-rendering functions only to find the component I’m looking for is in another castle. That cognitive load is taxing
It's sorta sad by funny that that big Zoom vulnerability thing was ultimately related to web technology and not really the app itself.
There is this idea of custom protocols or "URL schemes." So, like gittower:// or dropbox:// or whatever. A native app can register them, then URLs that hit them get passed to the native app. iOS has "universal links" which are coming to the web apparently. (Atishay Jain has an excellent write-up on them.) But … Read article
Security researcher Sabri posted a bit of code that will "force restart any iOS device." It's interesting to see HTML & CSS have this kind of dangerous power. It's essentially a ton of <div>s scaled to be pretty huge and then set over a repeating JPG image with each <div> blurring the background via backdrop-filter. It must cause such extreme and unhandled memory usage that it wreaks havoc on the browser as well as the entire operating system.… Read article
...because third-party anything really isn't safe. Jake Archibald:
If you're worried about users tricking your site into loading third party resources, you can use CSP as a safety net, to limit where images, scripts and styles can be fetched from.
We've long discussed security considerations for using and managing third-party scripts, but the topic of security in third-party CSS was recently broached in response to a "trick" that employs keylogging via CSS.
Jake's post is a worthy read because … Read article
I was strongly reminded about the scariness of non-secure websites the other day.
I'm using Xfinity as an internet service provider, and they give you a device that is both a cable modem and a router.
Here's a tiny bit of backstory. I use a VPN, and I discovered that in using their modem directly, the VPN wouldn't work. I'm not sure why. I didn't dig into it very far, because I have a modem of my own I'd prefer … Read article
For all y'all that want to understand the potential attacks, and potential defenses, of front-end web development.
It's pretty wild. The dangers are big, real, and many. But the tools we have to fight back are up to the job, we just need to know about them and use them.… Read article