nekocave.xyz

at least somebody cares:

A regional court in the German city of Munich has ordered a website operator to pay €100 in damages for transferring a user's personal data — i.e., IP address — to Google via the search giant's Fonts library without the individual's consent.

The unauthorized disclosure of the plaintiff's IP address by the unnamed website to Google constitutes a contravention of the user's privacy rights, the court said, adding the website operator could theoretically combine the gathered information with other third-party data to identify the "persons behind the IP address."


I reported this to my bank that used google fonts in their telebank site. for quite long time they did not understand the risks of data leakage on secure operations, but I wrote them again and again and they finally removed the links.

#security #dataleaks #Germany #web #google

I wonder how it will go further.

It is normal practice for websites to link to each other and hotlink/embed external resources. Sometimes it can't be controlled (e.g. some forums/comments/etc. allow inserting external images).

Is it all going to become violations now as any external service can collect request data?

and no, inserting any content from external links is not "normal". it's a very sick practice.
if you want external link - refer it as explicit external link, possibly with warning that user leaves your site. this is the best practice.

How about CDN?

Also define external. Is another subdomain external? How about another domain you own? How people are supposed to check?

and cross-scripting (i.e. running scripts from external resources) must be prohibited totally.
So people will just serve/proxy adware scripts from their own domains :)
this is more safe, although I didn't say ads or js was a good thing.
Good luck making an internet shop or something similar that way :)
we had this in the past, and it worked. what's the problem?

Yep, it is possible.

However the result won't be liked by the most people.

It is. If something isn't liked by target audience it will fail.

Again look at any modern web store. It typically has search with autocomplete, dynamic loading of items, various filters, shopping cart with dynamic total updating, etc.

Do any of these without JS. Yes, it is doable. But most likely it will be hard to implement. not convenient to use and probably ugly as well.

I doubt any project manager ever says: hey guys, we need at least ten scripts on every page! What they say are things like: this form has to check if the phone number is in correct format and warn if not.

"the most people" use such a shit like windoze. so what? you wanna follow the example? and if "the most people" go break their neck against a wall - does this mean you also gonna do it?
Эта запись была отредактирована (3 лет назад)

In my opinion tools are tools. I always find it suspicious when people try to idolize or demonize tools. Some tools are good, some are not so much but it all depends on purpose.

JS is misused a lot but it has its uses as well. Maybe we need better scripting language for the web pages. As for nefarious uses of JS - this is what has to be resisted, not the technology itself.

if a "tool" implies a mususe - it will be intentionally "misused". so the only way to get rid of this crap is complete eradication. there should be no way of running any non-trusted code on user side.

I don't think JS implies misuse, it rather lacks control. In fact it is not even JS that lacks control but browsers themselves. And yes, it is not easy to fix, especially for generic users.

Myself I'd like to see some alternative which supports sandboxing and permission control by design. Also I'd like to see far less use of JS in general. But I don't think it is realistic to expect people to just drop it.

and I stand for eradication of js from the web. no doubts it's evil.