target=_blank exploit
-
@error my avatar was going to be a really long animated gif that very gradually faded to monochrome over the course of about 15 minutes so that people would wonder if they were just imagining it. Then of course it was shortly after @ben_lubar disabled animated avatars, so I just made it a static version so it'd at least emojify correctly.
-
@cartman82 said in target=_blank exploit:
Apparently, if you open a site with target="_blank", they can reach back and mess with your original window, including transfer you to a phishing website.
Hey, now! Don't go messing with features that some of us really, really need. Like the ability to change the DOM in the parent window's page from the child window. Yes, we actually do this on our site.
But IIRC, that it only works if the two windows are on the same host and protocol (HTTP/S). Cross-domain scripting restrictions should prevent that. And then if you want to cross domains you need to use window.postMessage(), which allows the recipient to check the sender's domain before processing message.
-
@Maciejasjmj said in target=_blank exploit:
@anotherusername or just don't use
target="_blank". It's 2016, mouses have middle buttons, the last browser that didn't support tabs is long dead, there's pretty much no point in using it anymore. If I want something opened in a new tab, I'll just open it in a new tab, thank you very much.I like that I can click and forget on mobile: middle click is a long press and it takes time.
But I guess mobile is different.
-
@anonymous234 said in target=_blank exploit:
@mott555 said in target=_blank exploit:
A lot of sites disable middle-click now. I really want to beat them with a spiky clue-bat.
Someone needs to create and maintain a "things that are not acceptable to do in a website ever" list.
- Break middle click
- Make the page jump up and down (no, not even while loading, if the page is visible it should be usable, otherwise just hide it and show a spinner)
Break fucking right click. And add "found on My Stupid Website" to copied content.
-
@Tsaukpaetra I'm waiting for the combination of a good idea and the motivation to bring together my non-existent image editing skills.
Plus, there doesn't seem to be any regular using the same as me, so in effect it's as recognizable as whatever-dark-scribble-wiggly-thing is on yours, for example (for me, it's just "the dark wiggles").
-
@error said in target=_blank exploit:
Don't give Nod
too much credit. Much of the jellypotato behavior can be ascribed to the way it uses socket.io to broadcast messages.So, some weird web framework dark stuff that nobody can be bothered to understand or use correctly? Seems par for the course.
-
@anotherusername said in target=_blank exploit:
-- nope.
-- there's mine.
:@remi: -- nope.Didn't know about the
:@Username:thing. But why is it broken in @remi 's case?
-
@Zecc said in target=_blank exploit:
Didn't know about the
:@Username:thing. But why is it broken in @remi 's case?I would guess that it 's because I'm using the default avatar (i.e. couldn't be bothered to make one, see above) and that node
is as broken as 
that was too retarded to simply generate a picture once and use that?(
is clearly a non-default picture, I'm guessing also is based on this)Or maybe it's that my account is very recent, so a server somewhere is still pondering wisely if I should be allowed to be mentioned?
-
@remi said in target=_blank exploit:
I'm using the default avatar
The default
avatar is actually just a div with some text in it; you can select the letter. That's why it can't be (easily) rendered as a small picture; there's no picture there. The cheap-ass way to fix this is to screengrab the “avatar” and upload that as an image. Possibly with modifications if that floats your boat.
-
@dkf said in target=_blank exploit:
@remi said in target=_blank exploit:
I'm using the default avatar
The default
avatar is actually just a div with some text in it;So yep, what I said:
node
is as broken as that was too retarded to simply generate a picture once and use that'cause, you know, it's much better to make sure that new users don't get a fully-usable profile by default (and without telling them, of course).
-
@remi said in target=_blank exploit:
don't get a fully-usable profile by default
AFAIK everything else works the same, and the
:@mention:thing is actually our own plugin, not a standard feature, so...
-
@Onyx Ah, so it's only TDWTF that is
. Or exposing the fact that node is . Meh.(oh, my first contact with the editor: auto-completion of :foo... jumps to where the mouse cursor is even if that doesn't match what I'm typing. Nice.)
-
@remi said in target=_blank exploit:
oh, my first contact with the editor: auto-completion
Fuck that thing in its
-
@remi said in target=_blank exploit:
it's just "the dark wiggles"
I'm... the... Bwahaha!
Engine thanks you a lot for that image!@remi said in target=_blank exploit:
jumps to where the mouse cursor is
Yeah, I stopped leaving my mouse position anywhere near where I expect dropdowns for that specific reason.
-
Speaking of exploits and mouse cursor... Anyone seen this (works best on maximized Chrome)?
(side note: cool onebox
)What it does is set your mouse cursor (via
document.body.style.cursor) to a large image showing a fake cursor and fake security padlock.Because the mouse cursor is not part of the DOM and is painted over the whole window, it's possible to escape the browser's content frame and paint over the browser chrome.
The padlock is drawn taking into account the mouse position as it hovers over the page, in the position a real padlock is expected to be.
The fake mouse cursor is drawn with an offset, so that when you think you're clicking on the browser's security padlock to see the website's security information, you're still actually clicking inside the page so it can detect the click and display a fake popup.
Fortunately the maximum cursor size is 128x128, so the ability to maintain this illusion is limited.
-
@bb36e said in target=_blank exploit:
Hijack scrolling
As long as it isn't the browsers main scroll bar affected, meh.
If you want virtual scrolling, then use a virtual scrollbar.
-
@Zecc said in target=_blank exploit:
inside the page so it can detect the click and display a fake popup.
I noticed that, that was pretty clever, except my anality detected it was positioned incorrectly.
Nifty nifty! I was wondering how my cursor's theme changed...
-
@Zecc said in target=_blank exploit:
cursory hackHoly shit, how is it drawing a fake cursor over my tab bar?
The padlock is in the wrong place though.
-
@xaade i'm talking about when sites implement 'smooth scrolling' on their own, which results in scrolling being delayed and not at all responsive
or when you come across one of those sites that is a full-screen slideshow and you have to step past each slide, waiting for their animation to complete
-
@Zecc said in target=_blank exploit:
cursory hack
The cursor is buggy in Vivaldi when you move your mouse to the refresh button and then back into the page. Otherwise, a nice idea.
-
@Tsaukpaetra said in target=_blank exploit:
@remi said in target=_blank exploit:
it's just "the dark wiggles"
I'm... the... Bwahaha!
Engine thanks you a lot for that image!Wait 'till you learn how I call other regulars...
@remi said in target=_blank exploit:
jumps to where the mouse cursor is
Yeah, I stopped leaving my mouse position anywhere near where I expect dropdowns for that specific reason.
I love when everybody know of a bug but nobody can be bothered to fix it.
Oh, and the consistency of messages, also:
"Are you sure you wish to discard this post?"
"Cancel", "OK"
-
@asdf said in target=_blank exploit:
buggy
@asdf said in target=_blank exploit:
Vivaldi
Yes.
I want to use the damned thing but... ugh. It always pisses me off with something. Like going back when I hit backspace while trying to post here...
-
@Zecc said in target=_blank exploit:
Speaking of exploits and mouse cursor... Anyone seen this (works best on maximized Chrome)?
(side note: cool onebox
)What it does is set your mouse cursor (via
document.body.style.cursor) to a large image showing a fake cursor and fake security padlock.Because the mouse cursor is not part of the DOM and is painted over the whole window, it's possible to escape the browser's content frame and paint over the browser chrome.
The padlock is drawn taking into account the mouse position as it hovers over the page, in the position a real padlock is expected to be.
The fake mouse cursor is drawn with an offset, so that when you think you're clicking on the browser's security padlock to see the website's security information, you're still actually clicking inside the page so it can detect the click and display a fake popup.
Fortunately the maximum cursor size is 128x128, so the ability to maintain this illusion is limited.
Doesn't work on my Firefox ...
EDIT: Actually, it seems all kinds of un-working in Chrome as well.
-
@Zecc said in target=_blank exploit:
The padlock is drawn taking into account the mouse position as it hovers over the page, in the position a real padlock is expected to be.
Doesn’t work at all in Safari (well, other than the cursor being displayed in the wrong place.) It works sort of in Chrome when I try it, but the padlock jumps up, down, and sideways by a few pixels any time the mouse moves. Also, as soon as the real mouse pointer is over the “Ben’s amazing hack” link it jumps back to that as a hand cursor. A more subtle thing is that the fake cursor is slightly wrong in both browsers, mainly in having no shadow but also because it looks like it’s not quite the right size. That last bit is hard to catch, though, unless you’re really looking for things to be wrong.
Good effort, IOW, but not convincing enough. Someone really wanting to use this for nefarious purposes might be able to overcome those issues, though.
-
@Onyx said in target=_blank exploit:
Like going back when I hit backspace while trying to post here...
You could switch to Chrome
-
@aliceif said in target=_blank exploit:
Doesn't work on my Firefox ...
EDIT: Actually, it seems all kinds of un-working in Chrome as well.Oh, it works. It just doesn't look good.
-
@aliceif Opera Chromiclone is pretty much just Chrome with like 4 plugins. I use two of those regularly and it's less work to install Opera instead of Chrome + plugins.
What I'm saying is I'm using what could be considered Ubuntu to Chrome's Debian. Personally, I'm ok with this.
Filed under: It also might be transferring less data to Google. Might.
-
@Onyx I was making a joke regarding Chrome's recent removal of
as a shortcut key.
-
@aliceif Oh... wasn't aware of that, I don't use Chrome so, you know, I kinda don't care... much.
-
@Onyx said in target=_blank exploit:
Oh... wasn't aware of that
?
@FrostCat raged all over the status thread when it happened!
And I think @Lorne-Kates also participated.
-
@aliceif status thread gets away from me at times. If I don't read it for a day or two (like on weekends) the volume of posts gets to the point where I CBA and I just hit End...
-
@bb36e said in target=_blank exploit:
@xaade i'm talking about when sites implement 'smooth scrolling' on their own, which results in scrolling being delayed and not at all responsive
or when you come across one of those sites that is a full-screen slideshow and you have to step past each slide, waiting for their animation to complete
Or those pages where scrolling animates the page...
-
@remi said in target=_blank exploit:
I love when everybody know of a bug but nobody can be bothered to fix it.
This happens in other actual applications too. Can't be bothered to rig up a sample one to specifically demo it, but it's not just a NodeBB bug.
-
@anonymous234 This is the exact use case I used it for in my last web app.
It was a system to create map editing requests and one of the optional inputs opened up a (simplified) full page map so you could draw a rectangle on the map that contained the area of the map your requested change was in.
I say optional, but the outline box was mandatory... but the system had a bunch of presets for county, city, and township level boxes.
