Johny.: JavaScript can't install malware on your computer
goglin: That's right. But JavaScript can be used to detect vulnerabilities in the browser or browser's plugins.
A few weeks ago NYT, BBC, MSN, AOL were affected by malicious ads, injecting code via JS:
http://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angler-exploit-kitbedep/
I'm sure we won't run malicious JS. :) We think we know what we're doing. ;) I understand and appreciate this (theoretical) conversation about security though.
goglin: But more important: as a good dev please include your tracking code in a way that it doesn't crash the whole website if it can't be loaded.
Google analytics tracking is implemented in a way - that if you block analytics domains and cookies - site will still run OK.
But in simple words - as with cloudfront example - if you'd block JS file that is trying to call analytics, you'd break the site.
goglin: While having Firefox's tracking protection enabled it will do so (JS enabled, FF46.0.1). Entry from the console:
> The resource at "
https://d3tvtfb6518e3e.cloudfront.net/2/angular-opbeat.min.js" was blocked because tracking protection is enabled.
There is (imho) a good example how to implement GA without breaking functionality when for some reason (like DNT) a third-party service is not available:
https://hacks.mozilla.org/2016/01/google-analytics-privacy-and-event-tracking/
Please consider privacy and DNT as "not evil" :)
Yup, we have similar implementation (as I mentioned above) for GA.
The above warning is a different thing, because this is angularjs module, which is required for angular to work. You could block calls to opbeat servers only and it would be OK.
I've enabled "Do not track" in Firefox and didn't had this warning concerning opbeat. In FF private mode GA was blocked, but site worked OK. I'll check more machines/FF versions/smth.
Johny.: I'll watch the video later - sounds interesting. JavaScript can BE malware (somewhat restricted by the browser security),
but can't install any. ;)
Stay safe!
Did someone try the NoScript settings I suggested, or have bad opinion about them? ;)
blakstar: Well, I suppose you could say that
technically it can, but, as you obviously know, you require some kind of user interaction, usually from the less Internet savvy ones. :-)
EDIT: Sorry, just a silly observation of mine -- having a beer, scanning through the GOG threads in general! :-)
mrkgnao: I'm not sure that's right.
You could have an HTML/JavaScript button (e.g. labelled "I'm not a robot") that when clicked writes a file to the disk. The contents of that file could be anything.
Still - it's not JS that installs the malware. :) I'm not saying JS can't be malicious. Just as any type of code.
DeMignon: It's also not very comforting to tell us, that it's "HTTP only" by the way.
"HTTP only" cookie means it can't be read by JavaScript. It's comforting - it prevents userscripts from stealing it. ;)
Smogg: it appears to be IE 9
musteriuz: I also use IE9 on a WinVista machine and I still have no account button except on the forum and when I go there it's blank. I can't add things to my wishlist, I can't purchase and I can't even see my games to download the ones I purchased over the last 2 weeks and haven't downloaded yet. I just updated Java to the latest available version and the problem didn't change a bit.
Please, please, update your browser to newest IE, Chrome (or it's brothers) or Firefox. Others mentioned a lot of reasons for it. :)
