I don't think "annoying" is quite the right word to summarize this blog post. Sure, ads are often annoying, but the point she was trying to make is that this pattern is somewhat harmful.
It isn't. But what do you replace it with? Better solutions are likely to only cover a fraction of use cases, so they really need to be stellar to win over users.
Bobby tables would be considered data. Or should be. And hopefully it would be obvious that it doesn't belong in the code section.
But like you I'm not totally convinced. I think this idea would make it easier for people trying to do the right thing to get it right; but for the blissfully ignorant? Might not help at all. Either way it needs a more flushed out spec.
In practice I bet a large portion of people set up their phones at cell phone stores. Do you really trust at&t/T-Mobile/sprint/etc to have properly secured WiFi? My bet is they don't.
Definitely this only applies to government (esp law enforcement) requests.
Re: does it just protect US citizens or everyone's emails: dunno. That's a great question. My guess is that it's aimed at US citizens but I imagine agreements like privacy shield may extend those rights to some non citizens. IANAL though and am mostly speculating.
If you see this happen, please write in to our support team; we take data integrity issues very seriously.
Also I should probably mention that we keep 1 month of version history for free users and even more history for paid users, so if the corruption is recent you should be able to undo it yourself. But please report either way.
Yes but at the time, there was only evidence of password reuse leading to some comprised email lists... Not that password hashes themselves had been stolen. Sigh.
This. And even if the browser does block the request, the js probably sees that as an error code 0 (standard for cors) at which point it can use the performance timing apis.
CSP isn't relevant. I suspect you want to talk about cors or origin headers or similar things, in which case you are missing that there's no need for a csrf vulnerability here - any GET with reflected data could do.
My use case: I work at a company with a lot of engineers working on our website. Most of our important pages have lots of code from different teams loaded on them - arguably, far too much. We are trying to make it so that different teams code runs parallelized, so failures and slowness are completely independent- but this only makes sense on the back end; in js, it's far too easy for a few slow components to slow down our whole website.
Re moving the negation: it could be faster if x is available a few cycles before y in a superscalar architecture as you could save a cycle by negating x while in parallel computing y.
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference between someone on chrome 43 and 46, and chrome auto updates aggressively so we can ignore anything < 40 easily.
Safari and IE are basically in the same boat of users being on old oses also being stuck on aging browsers. It's just that IE has been so much worse that we haven't had time to start complaining about Safari, but don't worry, that's coming very soon.
No it's pretty bad for web developers - everyone stuck on old versions of Safari just since they don't want the new os (or sometimes are on services that aren't supported any more). Whereas there's not much difference between someone on chrome 43 and 46, and chrome auto updates aggressively so we can ignore anything < 40 easily.
Safari and IE are basically in the same boat of users being on old oses also being stuck on aging browsers. It's just that IE has been so much worse that we haven't had time to start complaining about Safari, but don't worry, that's coming very soon.
I've been trying to work with this library. So far my conclusion is that it's heavily under-documented and the examples are almost too simple. I'm having lots of trouble understanding errors.
I think it comes down to scale. If you are running your application on 5 or 10 or maybe even 100 servers, buying a few more to handle the inefficiency makes some sense. But if you code needs to go on 1000s of servers or more, it's probably worth paying people to optimize it instead of buying more hardware.
Mitm is often pretty easy, e.g. just arp spoof someone on the same network as you. Though if your target is on a different network, maybe not so simple. There's definitely a point where it probably makes more sense to try to attack the server than a well secured client; in general, hackers will aim for the weakest link (which I doubt will be your cookies not being channel bound)