• mox@lemmy.sdf.org
    45·
    19 days ago

    Why do I need to know all of this stuff, why isn’t the web safe by default?

    The answer to questions like this is often that there was no need for such safety features when the underlying technology was introduced (more examples here) and adding it later required consensus from many people and organizations who wouldn’t accept something that broke their already-running systems. It’s easy to criticize something when you don’t understand the needs and constraints that led to it.

    (The good news is that gradual changes, over the course of years, can further improve things without being too disruptive to survive.)

    He’s not wrong in principle, though: Building safe web sites is far more complicated than it should be, and relies far too much on a site to behave in the user’s best interests. Especially when client-side scripts are used.

    • marcos@lemmy.world
      12·
      19 days ago

      Anything that didn’t need that kind of security from the beginning also wouldn’t break if it’s built.

      The stuff that would break are all vulnerable because it doesn’t exist.

  • BatmanAoD@programming.dev
    20·
    18 days ago

    First and foremost _____ is a giant hack to mitigate legacy mistakes.

    Wow, every article on web technology should start this way. And lots of non-web technologies, too.

  • milliams@lemmy.world
    1·
    19 days ago

    Thanks, very interesting. I’m a bit confused about what this means:

    explicit credentials are unsuitable for server-rendered sites as they aren’t included in top-level navigation

    What does “top-level navigation” mean here?

    • Lysergid@lemmy.ml
      21·
      18 days ago

      ‘’’ Note: When I say “top-level” I am talking about the URL that you see in the address bar. So if you load fun-games.example in your URL bar and it makes a request to your-bank.example then fun-games.example is the top-level site. ‘’’ Meaning explicit creds won’t be sent. Even if fun-games knows how to send explicit creds, it can’t because fun-games does not have access to creds which stored for your-bank. Say suppose your-bank creds stored in local store. Since current URL is fun-games it can only access local storage of fun-games, not your-bank.

  • Lysergid@lemmy.ml
    13·
    19 days ago

    Thank you! I was always wondering why the heck this (mostly) useless and broken mechanism exists. I had hesitations about disabling it but had doubts about my understanding. Now I know I’m right