Archive for the ‘Web’ Category

Microsoft culls secret Flash whitelist after Google points out its insecurity

February 20th, 2019
Microsoft culls secret Flash whitelist after Google points out its insecurity

Enlarge (credit: Aurich Lawson)

In 2017, Microsoft changed its Edge browser so that Flash content would be click-to-run (or disabled outright) on virtually every site on the Web. A handful of sites were to be whitelisted, however, due to a combination of Flash dependence and high popularity.

The whitelist was intended to make it easier to move to a world using HTML5 for rich interactive content and to limit the impact of any future Flash vulnerabilities. At the same time, the list would still allow sites with complex Flash-dependent content to keep on running. If only a few trusted sites can run Flash content by default, it should be much harder for bad actors to take advantage of Flash flaws. A similar approach was adopted by other browsers; Google, for example, whitelisted the top-10 Flash-using sites for one year after switching Chrome to "click-to-run."

But Google figured out how Edge's whitelist worked (via ZDNet) and found that its implementation left something to be desired. The list of 58 sites (56 of which have been identified by Google) including some that were unsurprising; many of the entries are sites with considerable numbers of Flash games, including Facebook. Others seemed more peculiar; a Spanish hair salon, for example, was listed.

Read 2 remaining paragraphs | Comments

Posted in browsers, EDGE, flash, microsoft, Tech, Web | Comments (0)

Google partially backtracks on Chrome changes that would break ad blockers

February 18th, 2019

Google has said that it will revise the proposed changes to Chrome's extension API that would have broken or reduced the functionality of a wide range of ad-blocking extensions, to ensure that the current variety of content-blocking extensions is preserved. The initial plans generated a wide backlash from both the developers and users of those extensions, but Google maintains that "It is not, nor has it ever been, our goal to prevent or break content blocking" [emphasis Google's] and says that it will work to update its proposal to address the capability gaps and pain points.

The advertising company is planning an overhaul of its extension interface to, among other things, increase user privacy, make it harder for extensions to perform malicious actions, and make the browser's performance more consistent. Together, this work is documented as Manifest V3.

One of these changes in particular had grave consequences for ad blockers. Currently, ad blockers make extensive use of an API named webRequest. This API allows extensions to examine every single network request made by a page and either modify it (to, for example, redirect it to a different address or add or remove cookies), block it altogether, or allow it to continue unhindered. This has both a substantial privacy impact (an extension can see and steal your cookies and hence masquerade as you) and, Google said, some performance impact, as every single network request (of which there may be dozens in a single page) has to wait for the extension to perform its analysis.

Read 7 remaining paragraphs | Comments

Posted in ad blockers, chrome, Chromium, development, google, Open Source, Tech, Web | Comments (0)

Opera shows off its smart new redesign that’s just like all the other browsers

February 14th, 2019
Both the new dark view and light view look good.

Enlarge / Both the new dark view and light view look good. (credit: Opera)

Opera has unveiled a new look and feel for its browser. Expected to ship in version 59 and codenamed "Reborn 3" (R3), the new appearance adopts the same square edges and clean lines that we've seen in other browsers, giving the browser a passing similarity to both Firefox and Edge.

The principles of the new design? "We put Web content at center stage," the Opera team writes on its blog. The design is pared down so that you can browse "unhindered by unnecessary distractions." Borders and dividing lines have been removed, flattening out parts of the browser's interface and making them look more uniform and less eye-catching. The new design comes with the requisite dark and light modes, a welcome trend that we're glad to see is being widely adopted.

Being Web-centric is not a bad principle for an application such as a browser, where the bulk of the functionality and interest comes from the pages we're viewing rather than the browser itself. At first blush, I think that Opera has come up with something that looks good, but it does feel like an awfully familiar design rationale.

Read 3 remaining paragraphs | Comments

Posted in browsers, opera, redesign, Tech, Web | Comments (0)

Microsoft: Yeah, we make Office 2019 and Internet Explorer, but don’t use ‘em

February 8th, 2019

Two twins race to complete a PowerPoint challenge.

In an unusual turn of events, Microsoft this week warned Windows users off from using its Internet Explorer and dissed its new Office 2019 suite in a series of videos that show it to be worse than the competition.

While Windows 10 uses the newer, faster, much more standards compliant Edge browser as its default, it still ships with Internet Explorer 11. Enterprise customers with legacy systems from time to time want to make Internet Explorer 11 the default, but Microsoft doesn't think this is a good idea. Internet Explorer 11 isn't being updated to support new Web technology (and indeed, hasn't been updated for many years), existing only as a compatibility tool to access legacy "designed for Internet Explorer" content that simply won't work properly in any other browser.

As such, while it might be tempting to set Internet Explorer as the default to ensure that any intranet and line-of-business applications continue to work, that comes at a price. It will be slower, less secure, and increasingly incompatible with the broader Web as developers drop the old browser from their testing. So please, use it only when it's absolutely necessary.

Read 2 remaining paragraphs | Comments

Posted in Internet Explorer, microsoft, office, productivity, Tech, Web | Comments (0)

With experimental “Never slow mode,” Chrome tries to stop Web devs making it slow

February 6th, 2019
The word SLOW has been painted on a street for the benefit of drivers.

Enlarge / Google wants less of this. (credit: Vegansoldier / Flickr)

Since Chrome's very first release, performance has been one of Google's top priorities. But Google is against a competing force: Web developers. The Web of today is a more-complex, bandwidth-intensive place than it was when Chrome was first released, which means that—although Internet connections and the browser itself are faster than they've ever been—slow pages remain an everyday occurrence.

Google engineers have been developing "Never Slow Mode" in a bid to counter this. Spotted at Chrome Story (via ZDNet), the new mode places tight limitations on Web content in an effort to make its performance more robust and predictable.

The exact design and rationale of Never Slow Mode aren't public—the changelog for the feature mentions a design document but says it's currently Google-internal. But taken together, that design and rationale will ensure that the browser's main thread never has to do too much work and will never get too delayed. They will also ensure that only limited amounts of data are pulled down over the network. This should make the browser more responsive to user input, lighter on the network, and a bit less of a memory hog than it would otherwise be.

Read 4 remaining paragraphs | Comments

Posted in browsers, chrome, Chromium, google, HTML, Open Source, Tech, Web | Comments (0)

Firefox taking a hard line against noisy video, banning it from autoplaying

February 5th, 2019
No red pandas were harmed in the making of this image, I promise.

Enlarge / No red pandas were harmed in the making of this image, I promise. (credit: Aurich / Getty)

Last year, Chrome introduced changes to try to prevent the persistent nuisance that is pages that automatically play noisy videos. Next month, Firefox will be following suit; Firefox 66, due on March 19, will prevent the automatic playback of any video that contains audio.

Mozilla's plan for Firefox is a great deal simpler, and a great deal stricter, than Chrome's system. In Chrome, Google has a heuristic that tries to distinguish between those sites where autoplaying is generally welcome (Netflix and YouTube, for example) and those where it isn't (those annoying sites that have autoplaying video tucked away in a corner to startle you when it starts making unexpected sounds). Firefox isn't doing anything like that; by default, any site that tries to play video with audio will have that video playback blocked.

Firefox users will be able to grant autoplay audio permission on a site-by-site basis.

Firefox users will be able to grant autoplay audio permission on a site-by-site basis.

Firefox users will be able to override this block on a site-by-site basis, so those sites where autoplay is inoffensive can have it re-enabled. This permission is automatically extended to sites that have previously been granted access to microphones or webcams, so that audio and video communications apps built using WebRTC will work as expected. Firefox will also allow muted video to play back automatically.

Read on Ars Technica | Comments

Posted in browsers, development, Firefox, Open Source, Tech, Web | Comments (0)

Report: Microsoft is scrapping Edge, switching to just another Chrome clone

December 4th, 2018
Report: Microsoft is scrapping Edge, switching to just another Chrome clone

Enlarge (credit: Getty / Aurich)

Windows Central reports that Microsoft is planning to replace its Edge browser, which uses Microsoft's own EdgeHTML rendering engine and Chakra JavaScript engine, with a new browser built on Chromium, the open source counterpart to Google's Chrome. The new browser has the codename Anaheim.

The report is short on details. The easiest thing for Microsoft to do would be to use Chromium's code wholesale—the Blink rendering engine, the V8 JavaScript engine, and the Chrome user interface with the Google Account parts omitted—to produce something that looks, works, and feels almost identical to Chrome. Alternatively, Redmond could use Blink and V8 but wrap them in Edge's user interface (or some derivative thereof), to retain its own appearance. It might even be possible to do something weird, such as use Blink with the Chakra JavaScript engine. We'll have to wait and see.

Since its launch with Windows 10, Edge has failed to gain much market share. The first iterations of Edge were extremely barebones, offering little more than a basic tabbed browser—no extensions, little control over behavior. Early releases of Edge were also not as stable as one might have liked, making the browser hard to recommend. Three years later on and Edge is greatly—but unevenly—improved. The browser engine's stability seems to be much better than it was, and performance and compatibility remain solid (though with the exception of a few corner cases, these were never a real concern).

Read 7 remaining paragraphs | Comments

Posted in browsers, chrome, EDGE, microsoft, standards, Tech, Web, Windows | Comments (0)

The next version of HTTP won’t be using TCP

November 12th, 2018
The next version of HTTP won’t be using TCP

Enlarge (credit: Andy Maguire / Flickr)

The next version of the Hypertext Transfer Protocol (HTTP)—the network protocol that defines how browsers talk to Web servers—is going to make a major break from the versions in use today.

Today's HTTP (versions 1.0, 1.1, and 2) are all layered on top of TCP (Transmission Control Protocol). TCP, defined as part of the core set of IP (Internet Protocol) layers, provides reliable, ordered, and error-checked delivery of data over an IP network. "Reliable" means that if some data goes missing during transfer (due to a hardware failure, congestion, or a timeout), the receiving end can detect this and demand that the sending end re-send the missing data; "ordered" means that data is received in the order that it was transmitted in; "error-checked" means that any corruption during transmission can be detected.

These are all desirable properties and necessary for a protocol such as HTTP, but TCP is designed as a kind of one-size-fits-all solution, suitable for any application that needs this kind of reliability. It isn't particularly tuned for the kinds of scenarios that HTTP is used for. TCP requires a number of round trips between client and server to establish a connection, for example; using SSL over TCP requires subsequent round trips to establish the encrypted connection. A protocol purpose-built for HTTP could combine these negotiations and reduce the number of round trips, thereby improving network latency.

Read 4 remaining paragraphs | Comments

Posted in HTTP, IETF, networking, open standards, Programming, quic, standards, Tech, Web | Comments (0)

Firefox 63 blocks tracking cookies, offers a VPN when you need one

October 23rd, 2018

Firefox 63, out today, includes the first iteration of what Mozilla is calling Enhanced Tracking Protection (ETP), a feature to improve privacy and stop your activity across the Web from being tracked.

Tracking cookies store some kind of unique identifier that represents your browser. The cookie is tied to a third-party domain—the domain of the tracking company, rather than the site you're visiting. Each site you visit that embeds the tracking cookie will allow the tracking company to see the sites you visit and, using that unique identifier, cross-reference different visits to different sites to build a picture of your online behavior.

Firefox has long had the ability to block all third-party cookies, but this is a crude solution, and many sites will break if all third-party cookies are prohibited. The new EPT option works as a more selective block on tracking cookies; third-party cookies still work in general, but those that are known to belong to tracking companies are blocked. For the most part, sites will retain their full functionality, just without undermining privacy at the same time.

Read 4 remaining paragraphs | Comments

Posted in browsers, cookies, Firefox, Mozilla, Privacy, Tech, tracking, Web | Comments (0)