random bits from the weekend

Jul. 25th, 2004 10:42 pm
cellio: (sleepy-cat ((C) Debbie Ohi))
[personal profile] cellio
I just got mail from Amazon.uk telling me that the third series of 24 is being released in a couple weeks. Now I know that sometimes a "series" in the UK doesn't equal a "season" in the US, and the third season just finished here, so that made me wonder if the UK edition is breaking up seasons the way they did for West Wing early on. Near as I can tell, no. The final episode aired in May and the DVD for the season is available in August. How strange! (I'm assuming that this is a US show, not an import here, as it is a very US-centric show, but Amazon.com has nothing to say about the third season on DVD so far.) Not that I'm buying yet anyway; I just find it curious.

(Noted in passing: fourth season of West Wing in September; second season of Blake's 7 allegedly in October.)

I sometimes wonder about the security implications of the quizzes and other memes that run around LJ. Consider: your passowrd is (I think) stored in a cookie. You follow a link while reading your friends page (so you're probably logged in) to some unvouched-for site where you give your user name as part of getting some bit of content to post in your journal. I don't know a lot about cookies, but isn't it fairly straightforward for a malicious meme-writer to harvest your password that way? I try to never fill those things out while logged in, personally. (Yes, I do sometimes fill them out, out of curiosity -- the ones that are likely to have interesting content, like the mind map and the friends-list-evaluation ones, not the "what kind of eggplant are you?" ones.)

The two instances of Giant Eagle that I shop at seem to have both stopped carrying my cats' favorite food (Tender Vittles). While googling to try to find out if the product had been discontinued (no one at the store seemed to know anything), I found a place where I can mail-order it by the case for about what I normally pay for it. Ok, that works. Gee, I wonder if I can mail-order the cat litter under similar circumstances, rather than shlepping it home from the store myself? I'll have to try that.

This afternoon I attended a bridal shower for a friend. I so do not know how to be a girly girl. :-) It was a fun time, but there was a lot more estrogen in the air than I'm used to.

Tags:
Flat | Top-Level Comments Only

clarification

Date: 2004-07-26 06:52 am (UTC)
geekosaur: orange tabby with head canted 90 degrees, giving impression of "maybe it'll make more sense if I look at it this way?" (Default)
From: [personal profile] geekosaur
This is the basis of "cross-site scripting" (XSS) exploits.

This is the basic mechanism; the basic "trick" is trying to convince the browser to execute arbitrary JavaScript with greater access than it normally would have, ideally convincing it to execute the JS as if it were the browser's own code but more commonly (barring certain IE bugs) tricking it into thinking that JS from a malicious site came from a more trusted site with more access. IE's "security zone" implementation tends to make this really easy, because there are so many holes in its checking.

To be clear: Javascript runs "in the document"; there's no concept in the language as instantiated on client-side (browsers) of standing outside a document to manipulate it.

In theory. In practice, JavaScript is the "glue" that holds the browser together[*], so it does stand outside of the document. Browsers are supposed to "sandbox" JavaScript from outside sources so that it can't affect global browser state or documents from different sites, but all too often the sandboxes "leak".


* It's more complex than this, but basically true: if arbitrary JavaScript can escape the sandbox, it gains full control over the browser — and even limited escape grants it too much power (cf. the recent Application.Shell exploit which affected both IE and Mozilla).
Flat | Top-Level Comments Only

Expand Cut Tags

No cut tags
Top of page