Sun, 15 Jul 2018 13:44:39 -0500
Static pages are needed where the environment is less than ideal for security. I2P and Tor can handle dynamic pages but why take the risk? One coding error, one malicious attacker, one mis-step could lead to a disaster of dire consequences. Luckily in FFS all output goes thru a function aptly named output() so capuring the raw html and redirecting to a file is easy. Designing the mode to not include any "login required" content may prove interesting without alot of sloppiness but what is life without a challenge?
To this end mobile and tablet menus were changed to plain and I added a noscript plain menu for all screen/browser types. No JS environments won't break the site in anyway, but I still don't feel the need for extra steps. Delete confirmation pages in non JS environments won't work but people *should* be careful where they click anyway. I still need to design a better mobile menu... something like poloniex or just a drop down icon, maybe multi level for submenus.
I will test this soon with archamedis.i2p or something like that. Dont ask with what content... who knows... itll mainly just be for testing purposes only. Page regeneration should not take forever either... need a md5 content test or last updated timestamps to see what *needs* to be updated and what doesn't. Either way, the backend will probally have to be php-cli just incase of a timeout.
Web Standards... Drafts or Wishes?
Tue, 10 Jul 2018 20:39:59 -0500
So yes, I know I'm getting to CSP late but better late than not at all eh?
There seems to be major lag time between the drafts and whatever is happening IRL. Apparently back in 2016, the report-uri method in the CSP was deprecated in favor of a new reporting mechanism, report-to. The section of the draft for report-uri literally says:
This feature has been removed from the Web standards. Though some browsers may still support it, it is in the process of being dropped. Avoid using it and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.
Ok! No problem! I read the above as don't use report-uri, use report-to.
So I head over to the report-to section in the same draft that was updated on Mar 29, 2018, 4:25:30 PM and its looking good until I get to the browser compatibility table. Literally nothing supports it... not even basic support. In 2 years, no movement? I get why their trying to move away from report-uri but 2 years? I'm glad I read through the whole section before I started coding. My carpal tunnel laden hands would have been sorely pissed.
Sat, 07 Jul 2018 16:32:04 -0500
Added rudimentary tags for news posts, pages, galleries, and other page types. Not trying to make a tag cloud persay with the font size/color differences, just an alternative to categories which I do not want to have. Products can have categories but seperating page content... nah.
I've read that SEO and tag clouds don't work well together. Search engines will penalize the site for having tags as the links lead to duplicate content. Maybe hide the tag div with JS or something if it detects the almighty GoogleBot and other indexers? More research is needed.
Content Security Policy
Thu, 05 Jul 2018 23:36:19 -0500
Content-Security-Policy... good shit but annoying!
Switched from setting the CSP headers on the webserver to FFS. This allows the script to generate hashes for scripts and styles and add them to the "whitelist".
Switched the editor from WymEditor to CKEditor 4 which is a welcome change. The code is well maintained and didn't require alot of CSP workarounds as I had expected. I saved 30 style hashes to a file that gets automatically loaded *only* when the editor is needed. The inline script to load the editor only needed 1 hash which is auto generated and only loaded when needed as well.
Added automatic hashing of the percentage bar div's as it is using inline styles to set the width according the usage of the user quota.
The global variable count is up along with my blood pressure but CSP is worth having for some added protection.
FFS is now at v .3.3.1b
Wed, 04 Jul 2018 10:03:34 -0500
May your burgers and hot dogs full your bellies and your games be plentiful with loot! Happy Independence Day everybody!