Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Yahoo mail script in Opera

  1. #1

    Yahoo mail script in Opera

    Hello,
    I use Opera 6.0 for web Browsing, and have an email account in yahoo. When I go there (mail.yahoo.com ) and sign in, Opera gives the following pop-up two times:

    "A script wants to read the password(s) in the form. Do you want to give the script access to your password? "

    and when I click even "NO", Yahoo mail works fine. Why is that? If the script of Yahoo wants to read my passwd and it really needs it, then why when I don't let it read through Opera, it still functions well?

    I don't have the above in MSIE.

    Could you please help me to learn.
    Parsa

  2. #2
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    I think it means that javascript is trying to read from the password field... I wouldn't worry about it too much. You should be able to tell it to ignore it or to always do something without prompting you.
    [HvC]Terr: L33T Technical Proficiency

  3. #3
    Originally posted by Terr
    I think it means that javascript is trying to read from the password field... I wouldn't worry about it too much. You should be able to tell it to ignore it or to always do something without prompting you.

    You're way off Terr. Unfortunatley I don't have an answer either so I'm not much better. We all know of the Java script warning (Opera users) get when trying to access web based email account, especially Yahoo.



    What he wants to know is- why does the java script still read his password after he clicks on "no" in the java warning box?


    Also, I'm pretty sure there's no way of turning this warning off. If someone knows how I'll be forever grateful for the info...

  4. #4
    I double posted......I apologize...

  5. #5
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Well, I took a peek at the page... no overt javascript trying to access document.form.passwd or whatever it should be called.

    <form method=post action="https://login.yahoo.com/config/login?8aj07ktfrpg4r" autocomplete=off name=login_form onsubmit="return hash(this,'http://login.yahoo.com/config/login')">
    What about that? onsubmit is a Javascript property, isn't hash() an built-in function? I'm assuming that in this case "this" refers to login_form, which would include the password box. Basically, it looks like it is both submitting the information to "normally" as well as making a hash with javascript...

    I'm guessing that it's some sort of additional security measure, but that it is designed so that even with javascript disabled the form will still submit the necessary information.
    [HvC]Terr: L33T Technical Proficiency

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    170

    Arrow

    Just skimming over their code, basically what Yahoo does is to encrypt your information before sending it if you have javascript enabled. That way, if someone were to be sniffing the traffic to and from your machine, it would be a whole lot harder for them to get your username/password. If you don't have javascript, it will just send it plain text.

    This kind of javascript is pretty rare, though, and usually isn't what sets Opera off - most of the time sites will have javascript to make sure that you didn't leave your password blank. In this case also, it doesn't matter if you hit yes or no, you will still let you pass.

    In fact, if you ever find a site that doesn't let you pass if you hit the "no", I would be very concerned about the site's design and security. You should really never depend on javascript like that.
    \"If you torture the data enough, it will confess.\" --Ronald Coase

  7. #7
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Well, I once made a site area like that... Basically the javascript would take the password, and redirect the user to a page inside a subdirectory, the subdirectory having the same name as the password. Directory listing was disabled, and I had a few tricks with javascript and frames set up so that if they REALLY wanted to (and knew what they were doing) they could bookmark the page, but otherwise they'd have to enter the password each time.

    It was pretty secure, except for the aspect of cache and history, etc.
    [HvC]Terr: L33T Technical Proficiency

  8. #8
    Originally posted by Terr
    Well, I once made a site area like that... Basically the javascript would take the password, and redirect the user to a page inside a subdirectory, the subdirectory having the same name as the password. Directory listing was disabled, and I had a few tricks with javascript and frames set up so that if they REALLY wanted to (and knew what they were doing) they could bookmark the page, but otherwise they'd have to enter the password each time.

    It was pretty secure, except for the aspect of cache and history, etc.
    Terr I once designed a similar site ...I found the pages easy(with a little effort) to bookmark. I was also concerned about poeple stealing my graphics so I used this trusty little script found here:

    http://htmlgoodies.earthweb.com/beyond/noclick.html

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Terr I once designed a similar site ...I found the pages easy(with a little effort) to bookmark. I was also concerned about poeple stealing my graphics so I used this trusty little script found here:
    The only problem with that is that they can still get to your source code, which reveals graphic locations, which means they can direct-link to that path (if they REALLY want the graphic that is, haha) and take it there, where there's no javascript.

    1: page with javascript preventing mouse-clicks.
    2: user wants graphic1
    3: user sees they can't hit right-click to save-as.
    4: user says "But I'm l33t!" and goes through the browser's view-source, and sees that graphic1 really points to "images/foo.jpg" or something similar.
    5: user then puts in the address and adds /images/foo.jpg to the end and booya-shiggity-blakow (!!), the image is shown and they save away, all the while laughing at your feeble attempt to stop them.

    There are other ways around this, some rather expensive, but I'm trying to figure out how to cgi-rename them so that the file "doesn't exist" by those viewing the source yet the images still show. If I'm successful, I'll post the code here.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Vorlin, you didn't mention wget either...

    wget makes it as simple as [user@host dir]# wget your_host/dir/file.ext to get your files.

    Addendum: BTW, you could create a php script to check the referrer object to determine if the thing was coming from your webpage or not, then write out the image or a nasty message if it is.
    I have done this with ASP as well, so I know it works and can be done. It's an annoying way around it though.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •