Pages in topic:   [1 2 3] >
Changes made to the way javascript is handled in ProZ.com profiles
Thread poster: Jason Grimes

Jason Grimes
Local time: 21:47
SITE STAFF
Aug 7, 2009

Javascript is a form of dynamic web content that has many valid uses but that also carries security risks.

A change is now being made to the way javascript is handled in ProZ.com profiles:

* For reasons of security, javascript included in ProZ.com profiles owned by non-members will no longer be displayed.

* The display of member profiles -- including javascript -- will not change. However, viewers of member profiles that include javascript will be given an opportunity to confirm or deny acceptance of that content before it will be shown.

About 1% of non-member profiles contain javascript; about 1000 non-member profile owners have entered such content. There are many legitimate reasons a user might wish to include custom javascript in his or her profile page. For example, some profiles use javascript to provide custom messaging tools so potential clients can contact them more easily. Unfortunately, allowing this javascript also creates a security risk.

Steps have been taken to minimize the disruption that disallowing this custom javascript could cause. ProZ.com member profiles can still be viewed with the custom javascript enabled, but the viewer will be given the choice of whether to allow the javascript to run. When viewing the profiles of non-members, however, custom javascript will always be disabled.

For more information, please see these FAQs.

Note that if you used custom javascript in order to add a hit counter or instant messenger to your profile, you may be able to get a similar result with tools provided by ProZ.com that do not carry the same security risk. See the FAQs above for details.

I'm sorry for the inconvenience that may be caused to those who have javascript content in their profiles. This measure is being taken as a security precaution. It brings ProZ.com's policy on dynamic content in profiles in line with much of the rest of the Internet. If you have questions that aren't answered here or in the FAQs, please post them in this thread.

Best regards,
Jason

[Subject edited by staff or moderator 2009-08-08 03:04 GMT]


Direct link Reply with quote
 

Andreas Nieckele  Identity Verified
Brazil
Local time: 23:47
English to Portuguese
CSS also disabled? Aug 7, 2009

Dear Jason,

I invested a lot of time modifying my profile page with custom CSS and an iframe. I noticed that both of them stopped working around the same time that you announced this measure. The CSS is not working even if I try to include it directly in the page, inside of < style> tags.

I can understand that iframes MAY pose a security risk, but why not allow custom CSS? I cannot imagine possible security risks derived from changing some colors or font sizes.

I can easily live without the iframe, but we need to be able to style the html content on our profiles. Please say the custom CSS can stay.

Thanks

[Edited at 2009-08-07 19:41 GMT]


Direct link Reply with quote
 

Siegfried Armbruster  Identity Verified
Germany
Local time: 03:47
Member (2004)
English to German
+ ...
Angry and disappointed Aug 7, 2009

I am too angry and disappointed to produce a statement. I'm just copying the 2 emails I sent to Jason and Jared:

Dear Jason,
thanks a lot for at least letting me know after disabling this feature. I would have preferred to have been warned a few days in advance. This would have allowed me to redesign my page before your measures killed the interactivity. But I guess it is in line with Proz communication policy.

Siegfried


Dear Jared,
lets put it in clear words. Proz is not communicating with its users. The latest incident just happend a few minutes ago, when I was informed that the Javascript I used had been disabled by Proz due to "Security problems" Javascript might create. I'm not arguing that you have the right to disable Javascript due to this reason. But it is also clear, that you guys had to take the decision to take such a step, spent some time in implementing it etc. Informing the users that do use Javascript after disabling the feature is in my opinion absolutely unacceptable. It would have costed you 1 mail after you took the decision to inform me that form date X the feature is disabled. This would have allowed me to do something about it. The way Proz handled it, leaves me with a "dead" profile. Thank you very much. You (Proz) seem not to realize that we do have our schedules too, and I have now to do some emergency changes to make my profile at least usable again.

Perhaps you just try to put yourself into my position and you might be able to understand what I mean with my statement "Proz is heading into the wrong direction ",

Siegfried

Please note, that in the mail to Jared there are some statements which relate to an email exchange I had with Jared on another topic.


The lesson I learned from this is, never trust Proz, they will change whatever they want, whenever they want. How can anybody entrust them with more sensitive data such as invoicing data, they might come up with a change tomorrow and inform you later how sorry they are that all your invoices are gone, no longer accessible or that they sold the information to a third party.




[Edited at 2009-08-07 20:03 GMT]


Direct link Reply with quote
 

Jason Grimes
Local time: 21:47
SITE STAFF
TOPIC STARTER
Will look into issues with CSS Aug 7, 2009

Andreas Nieckele wrote:

Dear Jason,

I invested a lot of time modifying my profile page with custom CSS and an iframe. I noticed that both of them stopped working around the same time that you announced this measure. The CSS is not working even if I try to include it directly in the page, inside of < style> tags.

I can understand that iframes MAY pose a security risk, but why not allow custom CSS? I cannot imagine possible security risks derived from changing some colors or font sizes.

I can easily live without the iframe, but we need to be able to style the html content on our profiles. Please say the custom CSS can stay.

Thanks

[Edited at 2009-08-07 19:41 GMT]


Hi Andreas,

Thanks for reporting this issue. I'll restore support for custom CSS shortly.

Best regards,

Jason


Direct link Reply with quote
 

Jason Grimes
Local time: 21:47
SITE STAFF
TOPIC STARTER
Javascript is not disabled in members' profiles Aug 7, 2009

Siegfried Armbruster wrote:
thanks a lot for at least letting me know after disabling this feature. I would have preferred to have been warned a few days in advance.


Hi Siegfried,

To be clear, javascript is not disabled in your profile. Because of the potential security risk to the viewer, it seems only fair that the viewer should have the option to disable it if he or she chooses. But it is also possible to view all dynamic content in your profile exactly as you designed it (nice job, by the way).

It was because of profiles like yours that ProZ.com went to this extra effort to continue to support javascript in members' profiles, while balancing that against the responsibility to provide a secure service.

Best regards,

Jason


Direct link Reply with quote
 

Stanislaw Czech, MCIL  Identity Verified
United Kingdom
Local time: 02:47
Member (2006)
English to Polish
+ ...
It's not a tragedy in my case Aug 7, 2009

as the Java Script was used to display Skype's "contact me" button, however it would be indeed nice to be warned in advance. Also I am not sure if disabling Java Script by default is the best option. Maybe it would be better to give the visitor option of switching JS ooff?

Best Regards
Stanislaw


Direct link Reply with quote
 

Jason Grimes
Local time: 21:47
SITE STAFF
TOPIC STARTER
Viewer has the option to see javascript in members' profiles Aug 7, 2009

Stanislaw Czech wrote:

as the Java Script was used to display Skype's "contact me" button, however it would be indeed nice to be warned in advance. Also I am not sure if disabling Java Script by default is the best option. Maybe it would be better to give the visitor option of switching JS ooff?

Best Regards
Stanislaw


Hi Stanislaw,

That's exactly the option that's available for members profiles. Obviously I didn't express myself clearly above--I will edit my post in an attempt to clarify.

Best regards,

Jason


Direct link Reply with quote
 

Marek Buchtel  Identity Verified
Czech Republic
Local time: 03:47
Member (2005)
English to Czech
+ ...
Option to switch JS on Aug 7, 2009

Stanislaw Czech wrote:

Maybe it would be better to give the visitor option of switching JS ooff?



That's what has been done, as far as I understand.
When I visit your profile, I'm asked:

Accept dynamic content from this profile owner?
This profile contains dynamic content (javascript) supplied by the profile owner. Although such content is common on the internet and is likely harmless, there is a possibility that security risks may be involved. Learn more.

Would you like to accept dynamic content from this profile owner?


With two buttons under it:
Yes, run javascript
No, do not run javascript

Seems fair to me.
(But of course, an advance notification would be best)

Marek

[Upraveno: 2009-08-07 20:30 GMT]


Direct link Reply with quote
 

Özden Arıkan  Identity Verified
Germany
Local time: 03:47
Member
English to Turkish
What I don't understand Aug 7, 2009

I thought the idea was protecting our data from intrusion. Assuming, of course, that this new measure has been implemented due to the recent security breach. But it looks like the other way around, visitors being protected from our profile data? Sorry, probably a silly question, but it seems to be the natural logical question to ask upon reading how you introduce this change, Jason. So, it turns out that we too have to pay as a result of a security breach, but at least it could have been announced earlier to give time people to take the necessary measures at their profiles. I cannot but symphatize with Siegfried seeing the amount of work he has done in his profile.


The second thing - which you may want to look into or explain to me: there are several GIF images linked to from my profile (all static, not animated GIF images). When the Java script is disabled, only one of them disappears. Why are GIF images affected by this, and why is only one of them affected? What should I do? If turning Java off is meant to affect GIF for some reason, would it do if I converted them to JPG? Or, is GIF not supposed to be affected and you will need to correct something? Sorry, probably another silly question, but I'm a total ignoramus in this stuff.

Thanks for any help!

Özden


Direct link Reply with quote
 

Siegfried Armbruster  Identity Verified
Germany
Local time: 03:47
Member (2004)
English to German
+ ...
Not so angry anymore Aug 7, 2009

Jason Grimes wrote:

To be clear, javascript is not disabled in your profile. Because of the potential security risk to the viewer, it seems only fair that the viewer should have the option to disable it if he or she chooses. But it is also possible to view all dynamic content in your profile exactly as you designed it (nice job, by the way).


Hi Jason,

a) Informing people afterwards is and remains a dissapointing behaviour.

b) Your guys did not do a good job at all when implementing this feature. It does not what you are saying here "that the viewer should have the option to disable it ". The behavior is the other way round and the "button" is so nicely hidden in a corner that hardly anybody will notice it, if he/she does not belong to the Proz developper team. Therefore in my opinion it leaves me with a "dead" profile. Before a potential visitior will find your "button" to turn the interactivity on again, he/she will have lost interest in my profile.

ADDENDUM

It might not be as bad as I first thought it was. When you access your own profile, the popup does not appear automatically. I checked other dynamic profiles and the popup appears asking if you are willing to accept the dynamic content. I can live with this,

BUT THIS DOES NOT MAKE THE INFORMATION POLICY OF PROZ ANY BETTER

[Edited at 2009-08-07 20:39 GMT]


Direct link Reply with quote
 

Jason Grimes
Local time: 21:47
SITE STAFF
TOPIC STARTER
Özden, fixed the image in your profile Aug 7, 2009

Hi Özden,

I fixed the image in your profile--there was some broken HTML in your "about me" section. Please let me know if any other static content doesn't look right.

Özden Arıkan wrote:
I thought the idea was protecting our data from intrusion. Assuming, of course, that this new measure has been implemented due to the recent security breach. But it looks like the other way around, visitors being protected from our profile data?


This is part of a larger effort to prevent javascript-related security issues throughout the site (which in turn is part of a larger security review). It's just that in the profile pages, javascript was actually allowed on purpose, so it's a much trickier issue to solve. Thanks for your patience as the kinks get worked out.

Best regards,

Jason


Direct link Reply with quote
 

Jason Grimes
Local time: 21:47
SITE STAFF
TOPIC STARTER
Javascript popup now appears to the profile owner as well Aug 7, 2009

Siegfried Armbruster wrote:
It might not be as bad as I first thought it was. When you access your own profile, the popup does not appear automatically. I checked other dynamic profiles and the popup appears asking if you are willing to accept the dynamic content. I can live with this,


Hi Siegfried,

The javascript popup now appears to the profile owner as well. I see how its absence caused confusion. Sorry about that. Thanks for posting.

Best regards,

Jason


Direct link Reply with quote
 

Özden Arıkan  Identity Verified
Germany
Local time: 03:47
Member
English to Turkish
Thanks, Jason Aug 7, 2009

Thanks for paying a house call to my profile. Much appreciated

Direct link Reply with quote
 

Uldis Liepkalns  Identity Verified
Latvia
Local time: 04:47
Member (2003)
English to Latvian
+ ...
Enabling java script in profiles Aug 7, 2009

Dear Jason, as this my post was kindly removed by the caring Staff from the security breach thread as off topic, I repost it in new thread:


"Because you are a ProZ.com member, dynamic content (like
javascript) is still enabled in your profile page. But now, when
viewers arrive at your profile, they'll be asked whether or not
they wish to view the dynamic content. Some viewers may choose not
to, in which case the javascript will not run.

This announcement is intended to make you aware of this change.

If you weren't aware that you even had javascript in your profile
page, it may be from a hit counter, skype indicator, etc., for
which you copied and pasted the HTML code at some point in the
past. If you decide that you would like to remove this dynamic
content, please let me know and I'll be happy to help. If you want
to leave the dynamic content there, that's fine too.

I hope this helps to clarify.





Thank you for your efforts, however I fail to see what security improvements are brought about by forcing each and every visitor to accept java script. Info harvesters will sure accept it, while honest clients. visiting my profile, might be too afraid to accept some mysterious scripts (yes, normal people doesn't have a first idea how java script differs to AIDS) and so will not accept it and will get not all the info from my profile. My advice is- if I have accepted the newly introduced option of specifically showing java scripts, they by default should shown to all my visitors.

Uldis


Direct link Reply with quote
 

NancyLynn
Canada
Local time: 21:47
Member (2002)
French to English
+ ...

MODERATOR
I'm one of those who don't understand the first thing about this Aug 7, 2009

(and I could swear I just posted this but it's disappeared, so I'm trying again.)

Because I don't know the first thing about this I clicked on my profile, got the message and clicked on No to see what that would give, and the answer is a blank box under About Me. And now it seems that choice is sticky, because clicking again in another page on my profile gives me the blank About Me section again. Am I alone? I mean, I'm a long-avowed techno-bimbo, but I can't be alone, can I?

Nancy


Direct link Reply with quote
 
Pages in topic:   [1 2 3] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Changes made to the way javascript is handled in ProZ.com profiles

Advanced search






BaccS – Business Accounting Software
Modern desktop project management for freelance translators

BaccS makes it easy for translators to manage their projects, schedule tasks, create invoices, and view highly customizable reports. User-friendly, ProZ.com integration, community-driven development – a few reasons BaccS is trusted by translators!

More info »
Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search