Norton 360 is thwarting my javascript -- what should I do? - javascript

One of my clients has Norton 360 installed on his computer, and it's interfering with the javascript in my web pages. Not all JS, just some.
Simple things like
<a href="page.html" onclick="somefunc(); return false;">
don't work. Also using jQuery to attach on onclick event to an a tag doesn't work either:
// doesn't work
$(document).ready(function() {
$("#old_trans_link").click(viewOldTrans);
});
What should I tell my client? What should I tell our users? Is there any way around this madness?
Everyone doing JS heavy pages must run into this. How do they deal with it?
Edit: He also has McAfee installed at the same time.

I've never heard of anti-virus interfering with in-browser JavaScript in that way. My best guess would be that they have their virus scanner running at a very aggressive security level.
The easiest options, in terms of amount of work required to address this issue would be:
Recommend your users lower their security settings
See if they can whitelist your site so the application will work correctly
Recommend a browser other than Internet Explorer, or suggest they install Chrome Frame
Of course, if these are not feasible options, you may have to go with a more simplistic approach to using JavaScript on your page. Instead of requiring JavaScript on the site, use it to enhance the site and make features easier to use.
To do this, you would have to make everything on your site work with JavaScript disabled. Have everything perform POSTs to the server for processing. JavaScript would sit on top of all of this to enhance the experience for users who have JavaScript working. In this scenario, things like anti-virus blocking click events on anchor links would end up with a submission to the server.
Of course, this is a lot more work on your part because it almost requires writing 2 versions of the site. This is an argument that is brought up all the time online, even when developing StackOverflow, as was discussed on their blog.
You're better off telling them to add an exception for your site.

They probably are using some sort of web shield I assume. Try asking them to add an exception to your site
Edit:Adding Link
http://www.symantec.com/norton/360
Under "Advanced Protection"
"Blocks browser, OS, and application threats; protects against infected Web sites"
So I assume there should be a way to add an exception

Related

Will Apple reject Cordova applications that download additional JavaScript

all.
My team has been toying with the idea of developing an iOS app using Cordova, and recently, we've been looking into offloading as much of the main JavaScript as possible to our server, in an attempt to speed up fixing critical bugs.
The idea would be to have:
the native app containing all HTML, CSS, plugins and Cordova files
the main JavaScript added to the pages as external scripts from a server
a device-ready function for each page that will set up and start the main JavaScript once it's available
I have seen comments that Apple could be trusting of code that runs in a webview, but it does seem like projects like this could be a security issue.
I am aware of other questions and the like that touch on this, but I feel that the context was always different.
Thanks!
A year ago apple changed the iOS Developer Program Agreement to allow download of code, see the Section 3.3.2
3.3.2 An Application may not download or install executable code. Interpreted code may only be used in an Application if all scripts,
code and interpreters are packaged in the Application and not
downloaded. The only exception to the foregoing is scripts and code
downloaded and run by Apple's built-in WebKit framework, provided that
such scripts and code do not change the primary purpose of the
Application by providing features or functionality that are
inconsistent with the intended and advertised purpose of the
Application as submitted to the App Store.
So, as you are using cordova, and cordova uses WebKit framework, if you don't change the main purpose of the Application, you won't be rejected
The answer is it depends on how you use the system. The technical ding that hits most people is Apple iTunes Guidelines - 2.12
Apps that are not very useful, unique, are simply web sites bundled as Apps, or do not provide any lasting entertainment value may be rejected
It seems clear to me, but as a volunteer on the "official" phonegap forum, I'm often very blunt with people on this point. Nothing worst than months of work for nothings
On the Javascript idea, loading the javascript file from the web is not good practice. If your app ever loses the network, your app will be non-responsive. One app that I can name, that was growing by leaps and bounds, that has this problem is Word with Friends. I play and I can see the stall every time.
Make sure you App is always responsive and if not, give a short reasonable explanation. LIKE,"Opps, we can't find the Internet."
I have seen comments that Apple could be trusting of code that runs in a webview, but it does seem like projects like this could be a security issue.
Yes, Apple trust code that runs in webview, because it is not a browser. However, that does not make it secure. We have plenty of security issues and bugs. A recent security issues allows rogue code to insert weblinks into webview, and thereby allow the App to be used as an attack vector. Another recent security issue will launch rogue code from and mp3 file! And this bugs goes back to Android 2.0.
The cure is worst than the problem. It's a huge whitelist protocol that is confusing because of the bad documentation. Luckily, I should have a blog post in a few days; other people are working on blog posts too. my raw notes are online or read the current issues especially #10.
I am aware of other questions and the like that touch on this, but I feel that the context was always different.
Feel free to read my notes. The one i give to people all the time is:
Top Mistakes by Developers new to Cordova/Phonegap
But the root has more notes
Best of Luck.

Designing JQuery / Ajax sites backwards compatible w' no-JavaScript browsers

Does anyone know a good place to look for basic principles and tutorials on designing a JQuery rich websites, but which would still work in browsers that either don't support JavaScript or have it disabled?
If that's even possible, in practical terms..
Before you look at all this, you should be aware of a few things.
Historically, there were lots of reasons to make things work without JS:
SEO. Googlebot ran much like Lynx
Mobile devices. Hardly any, if any at all would run JS
Paranoid users who turn off JS
Corporate restrictions
Accessibility - screen readers etc.
If we look at todays landscape, things are different
Googlebot evaluates JS. In my own testing I've found that Googlebot can make ajax requests via jQuery code, and include text inserted into the page in it's results.
Mobile devices run better browsers than desktops for many users (i.e. Android Phone + IE8 user)
Noscript etc allow you to whitelist sites, though hardly anyone uses it anyway
Some corporations likely still ban JS, but again, it's minimal
Accessibility is getting better, and in many ways it's not an issue, but users may still be using older versions that don't deal with JS well.
This means that you are making a site without JS for accessibility reasons. This lets you concentrate much more on the experience you are creating without JS.
In short, you should ensure that anything that happens via AJAX can also happen without. This usually means modifying your serverside code so that anytime it generates JSON, it can also create the whole page the JSON is to be inserted into (i.e. if you have a button that loads text into a div, you should have an actual page with that view in).
An alternative approach is to carefully provide a different version of the app targeted at users without JS. Many old mobile sites are “good” examples of this.

How are windows executables [.exe] launched out of browsers?

I'm not talking about browser exploits. I'm talking about real applications used in real companies, like Ijji and Nexon.
Basically, from their websites you can click a "Start Game" button, which will launch an executable located at c:\ijji\english or c\nexon[gamename] respectively. These applications are real desktop applications, meaning that they can take advantage of the filesystem, direct3d, and OS [in the form of executing other applications]. The applications can also be launched through command line [as opposed to going to the game host's website].
I figured this would be possible if the application created an ActiveX object to call for the creation of a new process. However, the websites are able to launch applications from multiple browsers other than Internet Explorer, including chrome, which, to my knowledge, does not implement ActiveX.
Obviously the people developing these applications use their own means to do this.
From looking at the services list as well as currently running applications list, I have no indication that they're running something like "gameLaunchingServer.exe" which listens to some obscure port for an incoming connection [to be accessed using iframe - HTTP Protocol] and responds by launching an application...
I'm stumped, and this is sort of stuck in my mind. Obviously, they're not using some random browser exploit, otherwise people at http://www.[insertMaliciousWebsiteHere].com would have jumped on the opportunity already to install random crap. Regardless, it seems pretty cool, and I wanted to know how it worked.
Just curious, hehe.
I believe what they're doing is setting up their own protocol handler on install - when a browser is asked to access an address with a protocol that it doesn't know how to handle (for instance, a steam:// address), it looks at all the installed protocol handlers to find a match.
So you can register your application as a myApplication:// protocol handler, and then your web page can link to a myApplication:// address and launch your application.
I didn't quite find the button you are talking about, but I'm thinking it works only after you installed the application once, isn't it?
In that case, the application probably created its own protocol, just as skype, msn and a bunch of clients.
Having a protocol is the easiest way (and very easy indeed to implement - a simple registry key).
Another way which is used is an extension or plugin.
I thought they were run through plug-ins or like applets.
For example, MS SilverLight

Is there a "de facto" standard link to give to users to show them how to enable JavaScript?

This is an often used HTML piece on websites.
<noscript>
Please enable JavaScript or use a JavaScript capable device to get the maximum benefit of this site.
</noscript>
I want to link it to some directions or similar to enable JavaScript. I don't want to make my own list, as it would require me to update it.
I have found the Google link before, which was pretty good, but I was wondering if there is any de facto link that developers link to give users step by step instructions on how to enable JavaScript.
I realise that most people with it off probably do know how to re-enable it, I just thought for completeness a link couldn't hurt (maybe their more web savvy brother disabled it on a shared computer).
Looked up a bit and found http://www.enable-javascript.com/.
Seems to be a bit more updated i.e includes chrome etc and has screen images as well for those who prefer the visual route.
Also, doesn't seem to have a lot of pesky ads etc. Hope it helps!
Caveat: Must add that I have never used this before and am not sure of how frequently it will be updated but it looks promising!
Is this still a major concern in 2010? In my experience, people who see the <noscript> content have either:
disabled JS themselves, and therefore would know how to enable it (e.g. NoScript users)
or don't have JS capabilities (e.g. text-only or low-end mobile browsers)
Above that, browser landscape is varied enough that it's rather hard to keep up with various browser versions and their JS settings.
I'd say "just display 'this works better with JS' and degrade gracefully".
I have found activatejavascript.org. It is a little outdated, e.g. not providing instructions for Google Chrome.
I am also weary of sites that look like just a quick + dirty platform for advertisements (I got that impression).
There is probably something better.
Why don't you do it yourself?
It only takes a little browser sniffing and browser screenshots.

How to build a web crawler to find a specific advert, which is in an iframe loaded by Javascript

I'm trying to find all instances of an advert on a website. The advert is in an iframe which is loaded by javascript (it doesn't appear at all if javascript is turned off). Detecting the advert itself is extremely simple, both the name of the flash file and the target of the href always contain a certain string.
What would be the best "starting point" for achieving this? At the moment I'm considering an Adobe AIR app, which could crawl the site and examine the DOM to find the ad, and would run javascript and load the content of the iframe. The other option I can think of is using Firefox as the platform (using maybe GreaseMonkey or Selenium? I don't really know how to leverage Firefox like this).
Does anyone know of anything suitable to build this, or have any suggestions on using Firefox to do it?
Extra details:
Being CPU intensive isn't really an issue, nor is anything depending on a browser being open. This doesn't need to run on a headless server, it will be running on a powerful desktop box. OS is also not an issue. It would be advantageous if the crawler loaded each page multiple times, as the advert is in rotation. While the crawler does need to execute the javascript and load the content of the iframe, it does not need to be able to display flash files.
An alternative to using a "browser as a crawler" is using HTMLUnit as the page says, it's:
HtmlUnit is a "GUI-Less browser for Java programs". It models HTML documents and provides an API that allows you to invoke pages, fill out forms, click links, etc... just like you do in your "normal" browser.
It has fairly good JavaScript support (which is constantly improving) and is able to work even with quite complex AJAX libraries, simulating either Firefox or Internet Explorer depending on the configuration you want to use.
I think You don't want a crawler. You are going to run it on a single page and not want it to look around the internet through links, right?
If so - You want to find something on the page with javascript on. You then just have to use javascript.
You'll need:
the site :)
correct rights to access its content - use greasemonkey for FF or user scripts in Opera
a code similar to this jQuery sampe:
finding stuff in iframes:
$('iframe').each(function(){
$(this).contents().find('object').each(function(){
if($(this).attr('name').match(/regex/)){
$(this).remove(); //or do whatever You want
}
});
});
caution: accessing iframe contents may differ in browsers and is influenced by time when You run the script
If the ad is only displayed when javascript is enabled, you are going to have a problem, as no crawler is going to be able to read the web page in that matter.
Is there something in the javascript code itself that could be a tipoff to where the add is displayed? If so, maybe you can check that.
I've tried similar stuff before, and I used BeautifulSoup in python, and it worked really well.

Categories