I don't think "annoying" is quite the right word to summarize this blog post. Sure, ads are often annoying, but the point she was trying to make is that this pattern is somewhat harmful.
It isn't. But what do you replace it with? Better solutions are likely to only cover a fraction of use cases, so they really need to be stellar to win over users.
Bobby tables would be considered data. Or should be. And hopefully it would be obvious that it doesn't belong in the code section.
But like you I'm not totally convinced. I think this idea would make it easier for people trying to do the right thing to get it right; but for the blissfully ignorant? Might not help at all. Either way it needs a more flushed out spec.
In practice I bet a large portion of people set up their phones at cell phone stores. Do you really trust at&t/T-Mobile/sprint/etc to have properly secured WiFi? My bet is they don't.
Definitely this only applies to government (esp law enforcement) requests.
Re: does it just protect US citizens or everyone's emails: dunno. That's a great question. My guess is that it's aimed at US citizens but I imagine agreements like privacy shield may extend those rights to some non citizens. IANAL though and am mostly speculating.
If you see this happen, please write in to our support team; we take data integrity issues very seriously.
Also I should probably mention that we keep 1 month of version history for free users and even more history for paid users, so if the corruption is recent you should be able to undo it yourself. But please report either way.
Yes but at the time, there was only evidence of password reuse leading to some comprised email lists... Not that password hashes themselves had been stolen. Sigh.
This. And even if the browser does block the request, the js probably sees that as an error code 0 (standard for cors) at which point it can use the performance timing apis.
CSP isn't relevant. I suspect you want to talk about cors or origin headers or similar things, in which case you are missing that there's no need for a csrf vulnerability here - any GET with reflected data could do.
My use case: I work at a company with a lot of engineers working on our website. Most of our important pages have lots of code from different teams loaded on them - arguably, far too much. We are trying to make it so that different teams code runs parallelized, so failures and slowness are completely independent- but this only makes sense on the back end; in js, it's far too easy for a few slow components to slow down our whole website.
Re moving the negation: it could be faster if x is available a few cycles before y in a superscalar architecture as you could save a cycle by negating x while in parallel computing y.
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference between someone on chrome 43 and 46, and chrome auto updates aggressively so we can ignore anything < 40 easily.
Safari and IE are basically in the same boat of users being on old oses also being stuck on aging browsers. It's just that IE has been so much worse that we haven't had time to start complaining about Safari, but don't worry, that's coming very soon.
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference between someone on chrome 43 and 46, and chrome auto updates aggressively so we can ignore anything < 40 easily.
Safari and IE are basically in the same boat of users being on old oses also being stuck on aging browsers. It's just that IE has been so much worse that we haven't had time to start complaining about Safari, but don't worry, that's coming very soon.