GNUCITIZEN

A lot of noise has been generated around the CSS History Hack. Some people are skeptical about it and think that it can be fixed by installing the latest Firefox version, others believe that IE is not effected. Unfortunately both groups are wrong.

The problem with the CSS History Hack is that malicious JavaScript code that silently dumps your history is not malicious at all. The code makes use of a feature which has never been designed with security in mind and it effects everything that supports CSS and DOM. Removing this feature will cause a lot of accessibility problems. The same applies to many other malicious techniques that recently have been developed.

Internet and mainly World Wide Web is designed to be accessible. Many different technologies need to work with each other in a transparent way. The user is the center of the universe and providing better environment for this center makes in theory more money for the service provider. All this leads to less security. A truly secure browser will ask you to approve everything it does, from launching popup window to executing a tiny chunk of code. However, this never will happen. Clicking on thousands of alert boxes is far from what most of the users call fun. If you enforce it you better be prepared to loose a lot of users.

A quite fresh example is the crossdomain policy file introduced in Flash. crossdomain.xml improves the security of your site by disobeying the current SWF object to access your resources unless a rule is specifically written for it. Although at the very beginning a lot of webmasters hardened their document root folders with strong crossdomain security policies, now it seams that most of them a starting to realize that they are loosing a lot of users because the next door company provides the same service and it is free for all. The purpose of the security model has disappeared.

Security vs. accessibility – one of the very well known dilemmas we encounter every day.