> You should _always_ use an absolute URL in a redirect. I know it quite
> often works with a relative too.

Why?

--
Richard Heyes

Employ me
http://www.phpguru.org/cv

+----------------------------------------+
| Access SSH with a Windows mapped drive |
| http://www.phpguru.org/sftpdrive |
+----------------------------------------+

On Mon, May 19, 2008 at 12:52 PM, Richard Heyes <richardh@phpguru.org> wrote:
>> You should _always_ use an absolute URL in a redirect. I know it quite
>> often works with a relative too.
>
> Why?
>
> --
> Richard Heyes
>
> Employ me
> http://www.phpguru.org/cv
>
> +----------------------------------------+
> | Access SSH with a Windows mapped drive |
> | http://www.phpguru.org/sftpdrive |
> +----------------------------------------+
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Because it is RFC.

robert wrote:
>
> On May 18, 2008, at 10:14 PM, Tim Thorburn wrote:
>
>> Hi all,
>>
>> Having a slight problem with a demo I gave at a clients last week -
>> looking for a little advise. Part of my demo involved a password
>> protected area - the simplified process is: client enters password on
>> login page > if login/password match encrypted database, PHP session
>> is created, form forwards to a secured area > secured area checks to
>> make sure PHP session is valid > if valid display content, if not,
>> return to login screen.
>>
>> This procedure is what I've used for many years, tested on a variety
>> of servers and connections. It works. During the demo with my
>> client, I was able to enter login/password info, the PHP session was
>> created - however the screen would not forward to the secured area.
>> Instead I was pretended with a blank screen (client only has an
>> outdated/non-updated version of IE6). If I were to type in the URL
>> to the secured area, it would display content properly. As a test, I
>> logged out, closed my browser and started again, this time entering
>> an incorrect login/password - again it would not forward to the next
>> screen properly, however this time when I typed in the full URL, it
>> would not display as the session hadn't been created.
>>
>> I've spoken briefly with my clients IT person, however he's unwilling
>> to share any firewall information or really anything regarding their
>> security setup - which I understand as I'm not an employee and just a
>> contractor.
>>
>> So, after long winded description - does anyone with network security
>> experience have any idea either a) what I would need to ask the IT
>> person to allow for their site only, or b) have any suggestions for
>> alternate password authentication that may work given the above
>> conditions?
>>
>> TIA
>> -Tim
>
>
>
> try to use a full url instead of relative. e.g.
>
> header('location: thankyou.php');
>
> vs.
>
> header('location: http://www.mysite.com/thankyou.php');
>
> or use $_SERVER['DOCUMENT_ROOT'] for portability.
>
> i think this is some weirdness on IE6. this worked for me.
>
I'll try $_SERVER['DOCUMENT_ROOT'] during my next demonstration which
should be sometime next week. Odd that this issue has never come up
before O.o

> Because it is RFC.

Since when has that mattered? :-)

--
Richard Heyes

Employ me
http://www.phpguru.org/cv

+----------------------------------------+
| Access SSH with a Windows mapped drive |
| http://www.phpguru.org/sftpdrive |
+----------------------------------------+

On Mon, 2008-05-19 at 21:03 +0100, Richard Heyes wrote:
> > Because it is RFC.
>
> Since when has that mattered? :-)

Always... unless you're one of the ignorant masses

Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP

Robert Cummings wrote:
> On Mon, 2008-05-19 at 21:03 +0100, Richard Heyes wrote:
>>> Because it is RFC.
>> Since when has that mattered? :-)
>
> Always... unless you're one of the ignorant masses

Whatever works... :-)

--
Richard Heyes

Employ me
http://www.phpguru.org/cv

+----------------------------------------+
| Access SSH with a Windows mapped drive |
| http://www.phpguru.org/sftpdrive |
+----------------------------------------+

On May 19, 2008, at 12:20 PM, Tim Thorburn wrote:

> robert wrote:
>>
>> On May 18, 2008, at 10:14 PM, Tim Thorburn wrote:
>>
>>> Hi all,
>>>
>>> Having a slight problem with a demo I gave at a clients last week
>>> - looking for a little advise. Part of my demo involved a
>>> password protected area - the simplified process is: client enters
>>> password on login page > if login/password match encrypted
>>> database, PHP session is created, form forwards to a secured area
>>> > secured area checks to make sure PHP session is valid > if valid
>>> display content, if not, return to login screen.
>>>
>>> This procedure is what I've used for many years, tested on a
>>> variety of servers and connections. It works. During the demo
>>> with my client, I was able to enter login/password info, the PHP
>>> session was created - however the screen would not forward to the
>>> secured area. Instead I was pretended with a blank screen (client
>>> only has an outdated/non-updated version of IE6). If I were to
>>> type in the URL to the secured area, it would display content
>>> properly. As a test, I logged out, closed my browser and started
>>> again, this time entering an incorrect login/password - again it
>>> would not forward to the next screen properly, however this time
>>> when I typed in the full URL, it would not display as the session
>>> hadn't been created.
>>>
>>> I've spoken briefly with my clients IT person, however he's
>>> unwilling to share any firewall information or really anything
>>> regarding their security setup - which I understand as I'm not an
>>> employee and just a contractor.
>>>
>>> So, after long winded description - does anyone with network
>>> security experience have any idea either a) what I would need to
>>> ask the IT person to allow for their site only, or b) have any
>>> suggestions for alternate password authentication that may work
>>> given the above conditions?
>>>
>>> TIA
>>> -Tim
>>
>>
>>
>> try to use a full url instead of relative. e.g.
>>
>> header('location: thankyou.php');
>>
>> vs.
>>
>> header('location: http://www.mysite.com/thankyou.php');
>>
>> or use $_SERVER['DOCUMENT_ROOT'] for portability.
>>
>> i think this is some weirdness on IE6. this worked for me.
>>
> I'll try $_SERVER['DOCUMENT_ROOT'] during my next demonstration
> which should be sometime next week. Odd that this issue has never
> come up before O.o



Actually i think you might be experiencing the P3P privacy policy
thing. I tried it myself but couldn't get the headers to cooperate;
only worked when i appended the session id to the url. I hope someone
here can chime in on it.

Google keywords "php session ie6" or "ie6 ". i'd also recommend
a helmet, facemask and bullwhip.

On Mon, May 19, 2008 at 4:03 PM, Richard Heyes <richardh@phpguru.org> wrote:
> Since when has that mattered? :-)

:-) to you too.

Am 2008-05-12 15:40:54, schrieb Stut:
> CSS, but I may not be understanding what you mean by blunt. Javascript
> can be written such that it eats CPU and/or memory but this is of no
> benefit to anyone so unless you're running on a prehistoric machine I
> can't see that being an issue. And it's worth noting that even if a
> script starts hammering the machine most browsers these days will
> notice that, suspend it and offer to kill it.

About yu "prehistoric machine" :

My Devel-Station is a "AMD Phenom Quad 9800", running Debian GNU/Linux
Unstable, Testing and Stable in Xen-DomU and I know a couple of Websites
where Mozilla/Iceape locks up to one minute, consuming 100% of CPU-Time
and then showing a Message Box, that a Script is consuming very much
esources and if I continue, my Computer would not more responsive...

WTF?

> It is causing the error since it has blocked loading the external file
> but not the call to the code it contains. This, to me at least, seems
> half-arsed. The error only exists on the page if you deny it something
> that it needs to run correctly. IMHO the assumption that if the call

So forcing peoples to do things they do not want to do?

I do not know, what this urchinTacker() does, but since it is named
"Tracker", I asume it is a tool, which collect infos about Websiteusers.
A thing I do not like since it is violation of my privacy.

> to the urchinTracker function can run then so can the script tag to
> pull in that code is pretty reasonable. In fact I make it all the time
> in the code I write and I think the same would go for 99.999% of
> developers using Javascript.

Ehm you mean, that I am one of those 0.001%?

Hmmm, I do not know a singel JavaScript Developer here in Strasbourg who
use it...

> Urchin Tracker is a simple(!) analytics package and poses no danger to
> you or your computer. In fact I would suggest it's anti-productive to
> block it since it prevents the sites you visit from using the data it
> provides to modify their site to make the experience better for you.

So collecting privacy infos about me? -- No thanks!

> That error is caused by your use of selective Javascript-blocking
> technology, and while I work very hard to ensure the sites I develop
> work as well as possible without Javascript I think it's unreasonable
> to expect them to work with selective blocking.

Selective because urchinTacker() tracker is collecting infos about me
which I do not want to give out! -- Privacy violation!

If you use such tools, you have to warn users of your website, that you
are collecting data otherwise you could be run into trouble...

> Well, some of his pages do but that's complicating the issue. As far
> as I can tell the only bit of Javascript common to all Tedd's pages is
> the Google Analytics code which is not required for you to use the
> site, it just enhances the ability for Tedd to analyse how people are
> using it.

Ahh, -- urchinTracker() is from Google. :-)

And if used without informing users, it is definitivly a privacy
violation. At least in most EU countries like Germany and France.

> It can and I care greatly about security, but Javascript is very well
> locked down these days, and it's fairly difficult to get it to do
> anything malicious. Can it do annoying things, yes (but rarely these
> days, and usually only on 'special' sites), but I've not come across
> anything malicious for quite some time.

Since I am working mobile with my ThinkPad, I do not like to be tracked
by this urchinTracker() crap since this mean, Google will track ANY of
my customers where I am working if I use the Internet...

This is not only a privacy violation, it is spionage...

This is HOW secret services (the NSA is using Google) are working.

> In summary I can understand where you're coming from, and it's totally
> your choice to use something that modifies your browsing experience,
> but to then complain that it's causing errors on the sites you visit
> is, to me, beyond ridiculous. That's all I was trying to point out.

I do not know in which country you are, but all peoples worldwide should
block such shit coming from at least the USA/GB/IL.

Note: I am working for the french Ministry of Defense.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFINB67C0FPBMSS+BIRAiZ0AKDWHKlbO/QBAlxXjE8aMpnyipC0XgCfTHe4
+oouLt3SBrW39mU8t0QViPs=
=eOtv
-----END PGP SIGNATURE-----

Am 2008-05-12 15:36:30, schrieb tedd:
> Now, how is that a security threat? Or is the claim that any site
> that uses js is a security threat?
------------------------ END OF REPLIED MESSAGE ------------------------

One of my customers is the french "Ministry of Defense" and IF ENOUGH
websites using the urchinTracker() I can run into heavy trouble using my
laptop for professionel work...

And since the NSA is using Google to track peoples, urchinTracker()is a
privacy violation by european law and definitivly "security threat".

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant


--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFINCBBC0FPBMSS+BIRAhyAAJ0RjJrgeuRFWfO3HEQDAo tKiDesZQCgqOwJ
MUGZFAIpv8cvUZWXDPFgKW4=
=1a8x
-----END PGP SIGNATURE-----

At 3:08 PM +0200 5/21/08, Michelle Konzack wrote:
>Am 2008-05-12 15:40:54, schrieb Stut:
> > Well, some of his pages do but that's complicating the issue. As far
>> as I can tell the only bit of Javascript common to all Tedd's pages is
>> the Google Analytics code which is not required for you to use the
>> site, it just enhances the ability for Tedd to analyse how people are
>> using it.
>
>Ahh, -- urchinTracker() is from Google. :-)
>
>And if used without informing users, it is definitivly a privacy
>violation. At least in most EU countries like Germany and France.

Well then, all web sites are a privacy violation by your definition.

Web sites come standard with server logs and other data gatherers
like Webalizer, which none notify the user that their access is being
recorded.

However, all data collected in such logs can not be tracked back to a
specific user, and thus they are not really a "privacy" violation.

If I say that 43 percent of my web site's visitors come from Europe,
and 30 percent use IE6 then it's not a privacy violation to collect
this data because this data is not tied to a known specific user.

This is much like a traffic counter at on a roadway. Just because you
drove over the counter does not constitute a violation of your
privacy.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

I was going to ignore this, but I'm in a confrontational mood today,
so please accept my apologies for the noise.

On 21 May 2008, at 14:08, Michelle Konzack wrote:

> Am 2008-05-12 15:40:54, schrieb Stut:
>> CSS, but I may not be understanding what you mean by blunt.
>> Javascript
>> can be written such that it eats CPU and/or memory but this is of no
>> benefit to anyone so unless you're running on a prehistoric machine I
>> can't see that being an issue. And it's worth noting that even if a
>> script starts hammering the machine most browsers these days will
>> notice that, suspend it and offer to kill it.
>
> About yu "prehistoric machine" :
>
> My Devel-Station is a "AMD Phenom Quad 9800", running Debian GNU/
> Linux
> Unstable, Testing and Stable in Xen-DomU and I know a couple of
> Websites
> where Mozilla/Iceape locks up to one minute, consuming 100% of CPU-
> Time
> and then showing a Message Box, that a Script is consuming very
> much
> esources and if I continue, my Computer would not more responsive...
>
> WTF?

1) If your quad-core machine grinds to a halt due to runaway
Javascript code then there's something very wrong with the way it's
configured.
2) You said yourself that the browser suspends the script and asks you
if you want it to continue thereby protecting you from stupid
developers and rendering resource-hungry scripts pointless.
3) It's extremely rare for me to come across a site that will cause
that box to appear these days. Dunno what sites you're visiting but
you might want to consider avoiding them in future.
4) None of this is a security risk, it's just annoying as are a lot of
websites both with and without Javascript.

>> It is causing the error since it has blocked loading the external
>> file
>> but not the call to the code it contains. This, to me at least, seems
>> half-arsed. The error only exists on the page if you deny it
>> something
>> that it needs to run correctly. IMHO the assumption that if the call
>
> So forcing peoples to do things they do not want to do?
>
> I do not know, what this urchinTacker() does, but since it is
> named
> "Tracker", I asume it is a tool, which collect infos about
> Websiteusers.
> A thing I do not like since it is violation of my privacy.

Violation of privacy? Let's start with the fact that it's not
collecting anything you don't put out there when you use your browser.
Let's add that none of that info can personally identify you without
consulting your ISP who are highly unlikely to disclose who you are
without a court order.

Now let's consider that the original conversation in this thread has
nothing to do with privacy. I have no problem whatsoever if you want
to block Javascript, but please do it properly or at least don't
complain about errors if you only partly block it. That, and only
that, was my point.

>> to the urchinTracker function can run then so can the script tag to
>> pull in that code is pretty reasonable. In fact I make it all the
>> time
>> in the code I write and I think the same would go for 99.999% of
>> developers using Javascript.
>
> Ehm you mean, that I am one of those 0.001%?
>
> Hmmm, I do not know a singel JavaScript Developer here in Strasbourg
> who
> use it...

Whoa there nellie, I stated that I assume that if part A of my
Javascript runs then part B will also run. I said nothing about always
using Urchin or anything of the sort.

>> Urchin Tracker is a simple(!) analytics package and poses no danger
>> to
>> you or your computer. In fact I would suggest it's anti-productive to
>> block it since it prevents the sites you visit from using the data it
>> provides to modify their site to make the experience better for you.
>
> So collecting privacy infos about me? -- No thanks!

Again, if you want to block it I have no problem with that. I think
you're overly cautious but it's entirely your choice.

Google Analytics (which is where the Urchin code comes from) does
gather a tiny bit more information than normal server logs but none of
it is personally identifiable or in any way a security risk. But just
to state it again, I couldn't care less if you blocked it.

>> That error is caused by your use of selective Javascript-blocking
>> technology, and while I work very hard to ensure the sites I develop
>> work as well as possible without Javascript I think it's unreasonable
>> to expect them to work with selective blocking.
>
> Selective because urchinTacker() tracker is collecting infos
> about me
> which I do not want to give out! -- Privacy violation!
>
> If you use such tools, you have to warn users of your website, that
> you
> are collecting data otherwise you could be run into trouble...

Not really. You are giving out that information whether you like it or
not because that's the way your browser works. If you want to be
really anal about it you can get browser addons and proxies that will
strip most of that info out, but again I really don't see what you're
afraid of.

I think it's also worth repeating that I couldn't care less if you
decide to block Javascript, that's not even close to the point I was
making in this conversation.

>> Well, some of his pages do but that's complicating the issue. As far
>> as I can tell the only bit of Javascript common to all Tedd's pages
>> is
>> the Google Analytics code which is not required for you to use the
>> site, it just enhances the ability for Tedd to analyse how people are
>> using it.
>
> Ahh, -- urchinTracker() is from Google. :-)
>
> And if used without informing users, it is definitivly a
> privacy
> violation. At least in most EU countries like Germany and France.

Then don't use sites that use it from those countries. Or, better yet,
turn your computer off and go play outside.

>> It can and I care greatly about security, but Javascript is very well
>> locked down these days, and it's fairly difficult to get it to do
>> anything malicious. Can it do annoying things, yes (but rarely these
>> days, and usually only on 'special' sites), but I've not come across
>> anything malicious for quite some time.
>
> Since I am working mobile with my ThinkPad, I do not like to be
> tracked
> by this urchinTracker() crap since this mean, Google will track
> ANY of
> my customers where I am working if I use the Internet...
>
> This is not only a privacy violation, it is spionage...
>
> This is HOW secret services (the NSA is using Google) are working.

Really don't know where you're getting that from, but if it's even
remotely true nobody would be using Google Analytics. I'm betting
you're confusing Analytics with something else Google do, but for the
life of me I can't think what.

>> In summary I can understand where you're coming from, and it's
>> totally
>> your choice to use something that modifies your browsing experience,
>> but to then complain that it's causing errors on the sites you visit
>> is, to me, beyond ridiculous. That's all I was trying to point out.
>
> I do not know in which country you are, but all peoples worldwide
> should
> block such shit coming from at least the USA/GB/IL.
>
> Note: I am working for the french Ministry of Defense.

Ooh, give 'em a peanut. I live and work in the UK and every site I
work on that uses Google Analytics has nothing specific about Google
Analytics in the privacy policy. They all talk about use of ,
IP addresses and server logs and I've never had any complaints.

But, at risk of labouring the point, I don't have an issue if you
decide to worry about inconsequential things like websites gathering
anonymous usage data so they can improve the experience for you. I
couldn't care less if you disable Javascript to prevent evil popup
ads. I don't really give a damn if you decide to use lynx as the
ultimate surfer condom.

My issue is purely and simply that if someone decides to remove half
the code for something they should not feel they have the right to
complain to the developers when they see errors. You wouldn't expect a
car to work if you removed all the cylinders, would you? But I'd love
to see the persons face when you take it back and complain.

Sometimes I wonder why I bother.

-Stut

--
http://stut.net/

2008/5/21 Stut <stuttle@gmail.com>:
> I was going to ignore this, but I'm in a confrontational mood today, so
> please accept my apologies for the noise.
>
> On 21 May 2008, at 14:08, Michelle Konzack wrote:
>
>> Am 2008-05-12 15:40:54, schrieb Stut:
>> Note: I am working for the french Ministry of Defense.
>
> Ooh, give 'em a peanut. I live and work in the UK and every site I work on
> that uses Google Analytics has nothing specific about Google Analytics in
> the privacy policy. They all talk about use of , IP addresses and
> server logs and I've never had any complaints.

http://www.google.com/analytics/tos.html

7. PRIVACY . You will not (and will not allow any third party to) use
the Service to track or collect personally identifiable information of
Internet users, nor will You (or will You allow any third party to)
associate any data gathered from Your website(s) (or such third
parties' website(s)) with any personally identifying information from
any source as part of Your use (or such third parties' use) of the
Service. You will have and abide by an appropriate privacy policy and
will comply with all applicable laws relating to the collection of
information from visitors to Your websites. You must post a privacy
policy and that policy must provide notice of your use of a
that collects anonymous traffic data.

So yeah, you don't need to specifically mention google-analytics. And
you're definitely
not allowed to link it to any personally identifying information. On
pain of Lawyers.

> But, at risk of labouring the point, I don't have an issue if you decide to
> worry about inconsequential things like websites gathering anonymous usage
> data so they can improve the experience for you. I couldn't care less if you
> disable Javascript to prevent evil popup ads. I don't really give a damn if
> you decide to use lynx as the ultimate surfer condom.

Really, I've no problem with sites gathering anonymous usage data. I only get
a little more wary when it's a third-party collecting the data as I
have no relationship
with them.

On the other hand, it really does depend who the third party is: I'm not that
bothered about Google. But I would block anything and everything from
Phorm or the like without a second thought.

> My issue is purely and simply that if someone decides to remove half the
> code for something they should not feel they have the right to complain to
> the developers when they see errors. You wouldn't expect a car to work if
> you removed all the cylinders, would you? But I'd love to see the persons
> face when you take it back and complain.

I don't think that's an accurate metaphor. In this case they were
allowing all the
code from the originating web server to run, but were blocking an independent
third party server.

It's more like expecting a car to work when you remove the trailer.

> Sometimes I wonder why I bother.

Pure contrariness? That's certainly my major motivation.

-robin

On 22 May 2008, at 09:56, Robin Vickery wrote:
> 2008/5/21 Stut <stuttle@gmail.com>:
>> I was going to ignore this, but I'm in a confrontational mood
>> today, so
>> please accept my apologies for the noise.
>>
>> On 21 May 2008, at 14:08, Michelle Konzack wrote:
>>
>>> Am 2008-05-12 15:40:54, schrieb Stut:
>>> Note: I am working for the french Ministry of Defense.
>>
>> Ooh, give 'em a peanut. I live and work in the UK and every site I
>> work on
>> that uses Google Analytics has nothing specific about Google
>> Analytics in
>> the privacy policy. They all talk about use of , IP
>> addresses and
>> server logs and I've never had any complaints.
>
> http://www.google.com/analytics/tos.html
>
> 7. PRIVACY . You will not (and will not allow any third party to) use
> the Service to track or collect personally identifiable information of
> Internet users, nor will You (or will You allow any third party to)
> associate any data gathered from Your website(s) (or such third
> parties' website(s)) with any personally identifying information from
> any source as part of Your use (or such third parties' use) of the
> Service. You will have and abide by an appropriate privacy policy and
> will comply with all applicable laws relating to the collection of
> information from visitors to Your websites. You must post a privacy
> policy and that policy must provide notice of your use of a
> that collects anonymous traffic data.
>
> So yeah, you don't need to specifically mention google-analytics. And
> you're definitely
> not allowed to link it to any personally identifying information. On
> pain of Lawyers.

I think that's what I said, but thanks for the clarification.

>> But, at risk of labouring the point, I don't have an issue if you
>> decide to
>> worry about inconsequential things like websites gathering
>> anonymous usage
>> data so they can improve the experience for you. I couldn't care
>> less if you
>> disable Javascript to prevent evil popup ads. I don't really give a
>> damn if
>> you decide to use lynx as the ultimate surfer condom.
>
> Really, I've no problem with sites gathering anonymous usage data. I
> only get
> a little more wary when it's a third-party collecting the data as I
> have no relationship
> with them.

I can kinda understand that, especially since Google could, if they
wanted to, combine data from your travels around different sites to
build a better picture of you, but since it's all anonymous the only
use it would have is to provide better targeted advertising. I
personally have no issue with that since if I have to see ads on the
sites I visit I'd rather they were relevant to me.

> On the other hand, it really does depend who the third party is: I'm
> not that
> bothered about Google. But I would block anything and everything from
> Phorm or the like without a second thought.

Indeed, but Phorm is a completely different beast. In fact it's likely
to be impossible to block content coming from Phorm since their system
can potentially inject arbitrary code into pages before they reach you
- you may not even know it's coming from them unless you read a sites
privacy policy.

The only way to block it will be to change to an ISP that doesn't use
them. I wouldn't worry about it though, if it's going to be an opt-in
service (which it looks like it will) I don't see enough people doing
that to make it financially viable.

>> My issue is purely and simply that if someone decides to remove
>> half the
>> code for something they should not feel they have the right to
>> complain to
>> the developers when they see errors. You wouldn't expect a car to
>> work if
>> you removed all the cylinders, would you? But I'd love to see the
>> persons
>> face when you take it back and complain.
>
> I don't think that's an accurate metaphor. In this case they were
> allowing all the
> code from the originating web server to run, but were blocking an
> independent
> third party server.
>
> It's more like expecting a car to work when you remove the trailer.

Not really since the car doesn't need the trailer to function
properly. Maybe a better metaphor would be removing the aerial and
then complaining that the radio reception is very poor.

>> Sometimes I wonder why I bother.
>
> Pure contrariness? That's certainly my major motivation.

I do like disagreeing with people, especially when I think/know I'm
right.

-Stut

--
http://stut.net/

I'm sure Stut (and others) have said enough, but I can no longer
resist...

On May 21, 2008, at 8:08 AM, Michelle Konzack wrote:

> Am 2008-05-12 15:40:54, schrieb Stut:
>> CSS, but I may not be understanding what you mean by blunt.
>> Javascript
>> can be written such that it eats CPU and/or memory but this is of no
>> benefit to anyone so unless you're running on a prehistoric machine I
>> can't see that being an issue. And it's worth noting that even if a
>> script starts hammering the machine most browsers these days will
>> notice that, suspend it and offer to kill it.
>
> About yu "prehistoric machine" :
>
> My Devel-Station is a "AMD Phenom Quad 9800", running Debian GNU/
> Linux
> Unstable, Testing and Stable in Xen-DomU and I know a couple of
> Websites
> where Mozilla/Iceape locks up to one minute, consuming 100% of CPU-
> Time
> and then showing a Message Box, that a Script is consuming very
> much
> esources and if I continue, my Computer would not more responsive...
>
> WTF?
>
>> It is causing the error since it has blocked loading the external
>> file
>> but not the call to the code it contains. This, to me at least, seems
>> half-arsed. The error only exists on the page if you deny it
>> something
>> that it needs to run correctly. IMHO the assumption that if the call
>
> So forcing peoples to do things they do not want to do?

By holding a gun to your head?


> I do not know, what this urchinTacker() does, but since it is
> named
> "Tracker", I asume it is a tool, which collect infos about
> Websiteusers.
> A thing I do not like since it is violation of my privacy.

This statement appears to be one of ignorance. You claim that because
you don't know what it does and it has a certain name, it MUST be a
violation of your privacy. A violation of your privacy would be
gaining *personally-identifiable* information w/o your knowledge -
G.A. can't tell a web admin my first, middle, last names and DOB from
my browser. Do some reading about the product and then make an
educated statement.


>> to the urchinTracker function can run then so can the script tag to
>> pull in that code is pretty reasonable. In fact I make it all the
>> time
>> in the code I write and I think the same would go for 99.999% of
>> developers using Javascript.
>
> Ehm you mean, that I am one of those 0.001%?
>
> Hmmm, I do not know a singel JavaScript Developer here in Strasbourg
> who
> use it...

Either you're really popular to know lots of JS developers, or this is
just another statement based on little or no facts. Asking the 3 guys
next to you doesn't accurately summarize a city.


>> Urchin Tracker is a simple(!) analytics package and poses no danger
>> to
>> you or your computer. In fact I would suggest it's anti-productive to
>> block it since it prevents the sites you visit from using the data it
>> provides to modify their site to make the experience better for you.
>
> So collecting privacy infos about me? -- No thanks!

Again, no personally-identifiable information being sent...


>> That error is caused by your use of selective Javascript-blocking
>> technology, and while I work very hard to ensure the sites I develop
>> work as well as possible without Javascript I think it's unreasonable
>> to expect them to work with selective blocking.
>
> Selective because urchinTacker() tracker is collecting infos
> about me
> which I do not want to give out! -- Privacy violation!
>
> If you use such tools, you have to warn users of your website, that
> you
> are collecting data otherwise you could be run into trouble...

These statements are what really made me want to respond. From this
statement, you are basically saying that a majority of the sites out
there would have to have disclaimers. I know! Why don't we just
require web developers to reveal the secrets!(TM) of their sites and
give the source code so we can verify that they're not trying to find
the name of my cat when I was 8? I mean, come on. "[W]arn users of
your website"?? Don't get me wrong - I am all about security, but this
appears to be taking it a bit far. As a web surfer, one should be
aware of the potential risks and prepare reasonably!(TM) However, I
must question if you should even be on the web... how do you sleep at
night with all those javascript functions and just parading
around the 'net?!


>> Well, some of his pages do but that's complicating the issue. As far
>> as I can tell the only bit of Javascript common to all Tedd's pages
>> is
>> the Google Analytics code which is not required for you to use the
>> site, it just enhances the ability for Tedd to analyse how people are
>> using it.
>
> Ahh, -- urchinTracker() is from Google. :-)
>
> And if used without informing users, it is definitivly a
> privacy
> violation. At least in most EU countries like Germany and France.

I must say that I can't speak for other countries (non-US), but I
don't see how this is a privacy violation - no personally-identifiable
information is being transmitted. If you consider an IP or web browser
as personally-identifiable, then I say you're wrong.

If we informed users about every tool we used to develop a site, I
guarantee we'd lose their interest very quickly and they would go on
to the next page that is not going to bombard them with information
they could care less about.


>> It can and I care greatly about security, but Javascript is very well
>> locked down these days, and it's fairly difficult to get it to do
>> anything malicious. Can it do annoying things, yes (but rarely these
>> days, and usually only on 'special' sites), but I've not come across
>> anything malicious for quite some time.
>
> Since I am working mobile with my ThinkPad, I do not like to be
> tracked
> by this urchinTracker() crap since this mean, Google will track
> ANY of
> my customers where I am working if I use the Internet...

....and provide them a better experience on the web.


> This is not only a privacy violation, it is spionage...

Prove it.


> This is HOW secret services (the NSA is using Google) are working.

Oh neat. You worked for Secret Services before you worked for the
French Ministry of Defense. You must be quite the security-guru.


>> In summary I can understand where you're coming from, and it's
>> totally
>> your choice to use something that modifies your browsing experience,
>> but to then complain that it's causing errors on the sites you visit
>> is, to me, beyond ridiculous. That's all I was trying to point out.
>
> I do not know in which country you are, but all peoples worldwide
> should
> block such shit coming from at least the USA/GB/IL.

If you used Google Analytics, you could find where I'm typing this
email... =P

Ok, enough said from me - must get back to writing malicious code that
will tell me what IP you're ISP has given you!

~Philip


> Note: I am working for the french Ministry of Defense.
>
>
> Thanks, Greetings and nice Day
> Michelle Konzack
> Systemadministrator
> 24V Electronic Engineer
> Tamay Dogan Network
> Debian GNU/Linux Consultant

"Personally, most of my web applications do not have to factor 13.7
billion years of space drift in to the calculations, so PHP's rand
function has been great for me..." ~S. Johnson

2008/5/22 Philip Thompson <philthathril@gmail.com>:
> I'm sure Stut (and others) have said enough, but I can no longer resist...
>
> On May 21, 2008, at 8:08 AM, Michelle Konzack wrote:
>
>> Am 2008-05-12 15:40:54, schrieb Stut:
>>
>> I do not know, what this urchinTacker() does, but since it is named
>> "Tracker", I asume it is a tool, which collect infos about Websiteusers.
>> A thing I do not like since it is violation of my privacy.
>
> This statement appears to be one of ignorance. You claim that because you
> don't know what it does and it has a certain name, it MUST be a violation of
> your privacy. A violation of your privacy would be gaining
> *personally-identifiable* information w/o your knowledge - G.A. can't tell a
> web admin my first, middle, last names and DOB from my browser. Do some
> reading about the product and then make an educated statement.

Playing devils advocate here:

Firstly, you're mischaracterising her statement. She says she's
assuming it's a tool which collects information about users (which is
true) and she says she doesn't like such tools because she sees them
as a violation of her privacy (which is a matter of her opinion). She
does not say that it must be a violation of her privacy *because* she
doesn't know what it does and has a certain name.

Secondly, personally identifiable information doesn't have to be as
obvious as firstname/lastname/dob as Brian Clifton (European Head of
Web Analytics at Google) wrote in his book 'Advanced Web Metrics with
Google Analytics':

"Note: On the internet, IP addresses are classed as personally
identifiable information."

And Google Analytics is most definitely getting IP addresses, even if
they say they discard them when they no longer need them.

>> If you use such tools, you have to warn users of your website, that you
>> are collecting data otherwise you could be run into trouble...
>
> These statements are what really made me want to respond. From this
> statement, you are basically saying that a majority of the sites out there
> would have to have disclaimers.

Well, actually section 7 of their terms of service with google
analytics requires them to have notices.

I know! Why don't we just require web
> developers to reveal the secrets!(TM) of their sites and give the source
> code so we can verify that they're not trying to find the name of my cat
> when I was 8? I mean, come on. "[W]arn users of your website"?? Don't get me
> wrong - I am all about security, but this appears to be taking it a bit far.
> As a web surfer, one should be aware of the potential risks and prepare
> reasonably!(TM) However, I must question if you should even be on the web...
> how do you sleep at night with all those javascript functions and
> just parading around the 'net?!

Have you had a little too much coffee today?

-robin

Google Analytics, resides on the users computer, requires bandwidth to
download, processor time to run, installs without permission, ergo is
malware.
Google Analytics has been included in the MS MVP hosts file since its
inception, see link below
Web traffic monitors should be server side
bbclone is php http://www.bbclone.de -records the public information sent
out in http requests

--
Adaware http://www.lavasoft.de
spybot http://www.safer-networking.org
AVG free antivirus http://www.grisoft.com
Etrust/Vet/CA.online Antivirus scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Panda online AntiVirus scan http://www.pandasoftware.com/ActiveScan/
Catalog of removal tools (1)
http://www.pandasoftware.com/download/utilities/
Catalog of removal tools (2)
http://www3.ca.com/securityadvisor/n...aspx?CID=40387
Blocking Unwanted Parasites with a Hosts file
http://mvps.org/win2002/hosts.htm

links provided as a courtesy, read all instructions on the pages before use,
long links may wrap
Grateful thanks to the authors and webmasters
_


"Philip Thompson" <philthathril@gmail.com> wrote in message
news:556FA57F-FD33-4A6B-B262-F631D6222AEC@gmail.com...
> I'm sure Stut (and others) have said enough, but I can no longer
> resist...
>
> On May 21, 2008, at 8:08 AM, Michelle Konzack wrote:
>
>> Am 2008-05-12 15:40:54, schrieb Stut:
>>> CSS, but I may not be understanding what you mean by blunt. Javascript
>>> can be written such that it eats CPU and/or memory but this is of no
>>> benefit to anyone so unless you're running on a prehistoric machine I
>>> can't see that being an issue. And it's worth noting that even if a
>>> script starts hammering the machine most browsers these days will
>>> notice that, suspend it and offer to kill it.
>>
>> About yu "prehistoric machine" :
>>
>> My Devel-Station is a "AMD Phenom Quad 9800", running Debian GNU/ Linux
>> Unstable, Testing and Stable in Xen-DomU and I know a couple of Websites
>> where Mozilla/Iceape locks up to one minute, consuming 100% of CPU- Time
>> and then showing a Message Box, that a Script is consuming very much
>> esources and if I continue, my Computer would not more responsive...
>>
>> WTF?
>>
>>> It is causing the error since it has blocked loading the external file
>>> but not the call to the code it contains. This, to me at least, seems
>>> half-arsed. The error only exists on the page if you deny it something
>>> that it needs to run correctly. IMHO the assumption that if the call
>>
>> So forcing peoples to do things they do not want to do?
>
> By holding a gun to your head?
>
>
>> I do not know, what this urchinTacker() does, but since it is named
>> "Tracker", I asume it is a tool, which collect infos about Websiteusers.
>> A thing I do not like since it is violation of my privacy.
>
> This statement appears to be one of ignorance. You claim that because you
> don't know what it does and it has a certain name, it MUST be a violation
> of your privacy. A violation of your privacy would be gaining
> *personally-identifiable* information w/o your knowledge - G.A. can't
> tell a web admin my first, middle, last names and DOB from my browser. Do
> some reading about the product and then make an educated statement.
>
>
>>> to the urchinTracker function can run then so can the script tag to
>>> pull in that code is pretty reasonable. In fact I make it all the time
>>> in the code I write and I think the same would go for 99.999% of
>>> developers using Javascript.
>>
>> Ehm you mean, that I am one of those 0.001%?
>>
>> Hmmm, I do not know a singel JavaScript Developer here in Strasbourg who
>> use it...
>
> Either you're really popular to know lots of JS developers, or this is
> just another statement based on little or no facts. Asking the 3 guys
> next to you doesn't accurately summarize a city.
>
>
>>> Urchin Tracker is a simple(!) analytics package and poses no danger to
>>> you or your computer. In fact I would suggest it's anti-productive to
>>> block it since it prevents the sites you visit from using the data it
>>> provides to modify their site to make the experience better for you.
>>
>> So collecting privacy infos about me? -- No thanks!
>
> Again, no personally-identifiable information being sent...
>
>
>>> That error is caused by your use of selective Javascript-blocking
>>> technology, and while I work very hard to ensure the sites I develop
>>> work as well as possible without Javascript I think it's unreasonable
>>> to expect them to work with selective blocking.
>>
>> Selective because urchinTacker() tracker is collecting infos about me
>> which I do not want to give out! -- Privacy violation!
>>
>> If you use such tools, you have to warn users of your website, that you
>> are collecting data otherwise you could be run into trouble...
>
> These statements are what really made me want to respond. From this
> statement, you are basically saying that a majority of the sites out
> there would have to have disclaimers. I know! Why don't we just require
> web developers to reveal the secrets!(TM) of their sites and give the
> source code so we can verify that they're not trying to find the name of
> my cat when I was 8? I mean, come on. "[W]arn users of your website"??
> Don't get me wrong - I am all about security, but this appears to be
> taking it a bit far. As a web surfer, one should be aware of the
> potential risks and prepare reasonably!(TM) However, I must question if
> you should even be on the web... how do you sleep at night with all those
> javascript functions and just parading around the 'net?!
>
>
>>> Well, some of his pages do but that's complicating the issue. As far
>>> as I can tell the only bit of Javascript common to all Tedd's pages is
>>> the Google Analytics code which is not required for you to use the
>>> site, it just enhances the ability for Tedd to analyse how people are
>>> using it.
>>
>> Ahh, -- urchinTracker() is from Google. :-)
>>
>> And if used without informing users, it is definitivly a privacy
>> violation. At least in most EU countries like Germany and France.
>
> I must say that I can't speak for other countries (non-US), but I don't
> see how this is a privacy violation - no personally-identifiable
> information is being transmitted. If you consider an IP or web browser as
> personally-identifiable, then I say you're wrong.
>
> If we informed users about every tool we used to develop a site, I
> guarantee we'd lose their interest very quickly and they would go on to
> the next page that is not going to bombard them with information they
> could care less about.
>
>
>>> It can and I care greatly about security, but Javascript is very well
>>> locked down these days, and it's fairly difficult to get it to do
>>> anything malicious. Can it do annoying things, yes (but rarely these
>>> days, and usually only on 'special' sites), but I've not come across
>>> anything malicious for quite some time.
>>
>> Since I am working mobile with my ThinkPad, I do not like to be tracked
>> by this urchinTracker() crap since this mean, Google will track ANY of
>> my customers where I am working if I use the Internet...
>
> ...and provide them a better experience on the web.
>
>
>> This is not only a privacy violation, it is spionage...
>
> Prove it.
>
>
>> This is HOW secret services (the NSA is using Google) are working.
>
> Oh neat. You worked for Secret Services before you worked for the French
> Ministry of Defense. You must be quite the security-guru.
>
>
>>> In summary I can understand where you're coming from, and it's totally
>>> your choice to use something that modifies your browsing experience,
>>> but to then complain that it's causing errors on the sites you visit
>>> is, to me, beyond ridiculous. That's all I was trying to point out.
>>
>> I do not know in which country you are, but all peoples worldwide should
>> block such shit coming from at least the USA/GB/IL.
>
> If you used Google Analytics, you could find where I'm typing this
> email... =P
>
> Ok, enough said from me - must get back to writing malicious code that
> will tell me what IP you're ISP has given you!
>
> ~Philip
>
>
>> Note: I am working for the french Ministry of Defense.
>>
>>
>> Thanks, Greetings and nice Day
>> Michelle Konzack
>> Systemadministrator
>> 24V Electronic Engineer
>> Tamay Dogan Network
>> Debian GNU/Linux Consultant
>
> "Personally, most of my web applications do not have to factor 13.7
> billion years of space drift in to the calculations, so PHP's rand
> function has been great for me..." ~S. Johnson
>