marahmarie: Sheep go to heaven, goats go to hell (Default)

Update, 9-21-14: added new Support request URL.

I just noticed your Dreamwidth login gets passed to http://mobiletest.me so* (see correction below) the emulator winds up displaying all of your locked entries. I am kind of freaked out about this so I have a Support request in with DW to check if a) it's normal for emulators to get passed our log-in info to be able to display our locked entries and b) to find out if DW staff feels this is a security risk.

I feel it is a security risk - regardless of how they feel about it (no offense intended but oh, happy hell) so until someone can explain to me how it is not a security risk, my question - and my sheer anxiety over it- will stand.

*Correction: as pointed out by [personal profile] ideological_cuddle in this thread, I've worded this issue quite badly from the start. I don't, in fact, believe our log-in state is passed directly to mobiletest.me; rather, I'm questioning whether our logged-in materials are (as he explained, these materials are presented in an IFRAME, allowing even our access-only posts to display in their emulator if we're already logged into DW).

Given this refinement of exactly what I feel is the potential security risk my question stands, with the caveat that I'm not worried so much that our log-in details (such as username and password combos) are getting passed along as I am that our access-only content is first getting displayed in mobiletest.me's IFRAMES and then somehow being scraped and/or stored by them for future use/disbursement.

Sorry for my original wording; on account of it I'm leaving it as-is with strikethroughs added as needed to show where I really confused the hell out of exactly what I'm on about here.

marahmarie: Sheep go to heaven, goats go to hell (Default)

Update, 9-20-2014: After I wrote this post [personal profile] ideological_cuddle grew curious about mobiletest.me and decided to check it out. The first thing he noticed was the page seems to not run true emulators at all but to simply load your web pages up in an IFRAME. I soon made a second post about mobiletest.me informing everyone I'd filed a Support request with DW over my feeling the site might present a security risk after I discovered the so-called "emulators" display your locked entries if you're already logged into DW and are viewing mobiletest.me from within the same browser.

Upon poking around the question of what the exact security risk might be [personal profile] ideological_cuddle and I quickly came to agree that there's a small but definite chance that a site like mobiletest.me could use two scripts - one against the parent page (which holds the IFRAME on mobiletest.me) and one against the child (your website content displayed within the IFRAME) to scrape whatever content from the IFRAME that they want - including, of course, all of your locked entries.

The fact that mobiletest.me's basic and advanced "emulation" doesn't seem to work - or to even exist - was my first red flag that it's not what it seems, but upon realizing that scraping locked content could be an actual security risk for users of the site I am completely turned off, so I'm withdrawing the endorsement you see in the title of this post and below, and I apologize for posting as glowingly as I did without first checking under the hood, so to speak, a bit more carefully before posting.


Original post is as follows:

Got into the Beta and it is the bomb. I can test this blog's responsive design against every major brand and model of mobile phone and tablet out there and even use advanced emulation and both landscape and portrait modes which is helping me to catch and fix a lot of errors both big and small that might otherwise semi-permanently escape my attention. Using Firefox's Web Developer add-on accomplishes many of the same goals just by checking the "View Responsive Layouts" option but because you have to do the window resizing yourself to find and make sure you fix different errors stuff can get by you - not so with this website.