roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject Re: Why does Roller use Javascript?
Date Tue, 07 Aug 2007 14:07:42 GMT
On 8/4/07, Henrik Martin <henrik@netgate.net> wrote:
> Hi. I was just playing around with my installation of Roller. I was
> using my wife's machine and I was trying to comment on a blog
> entry. However, I didn't see the "Please answer this simple math
> question" show up on the page. I use a Javascript blocking toolbar in
> Firefox, and I hadn't enabled Javascript for the site that Roller was
> running on. When I enabled it, the field with the math question
> appeared in the page.
>
> I'm just curious to why Roller needs to use Javascript for this?  I
> guess it's to avoid generating the numbers in the HTML, which would
> make it easy for bots to parse. But this could still be bypassed
> by a bot if the page is processed by a library that could execute the
> Javascript code. In general, I consider Javascript being a real
> annoyance. Not only is it insecure, it's also very unpredictable as to
> how it's implemented in various browsers. There are some sites that I
> use that require Javascript to function, and I reluctantly allow it
> for those sites, but I really don't see it being necessary for most
> sites.
>
> As for the math question, I guess there's some kind of cookie
> associated with it so that you can verify that the response is for a
> certain challenge. Why couldn't this be done by just passing cookies in
> the HTTP header like most session cookies are handled?
>
> I'd like to suggest using JCaptcha (jcaptcha.sourceforge.net)
> instead of the math question. From a usability standpoint, I think
> this is better and much more intuitive, and doesn't require
> Javascript. The math question is very easy to miss, and it wasn't
> obvious to me the first time I visited a Roller blog that it was
> required to post a comment. Most people are used to CAPTCHA systems
> when they sign up for services at Yahoo, Google, AOL, and other large
> sites. I think it would be more obvious than the math question. The
> only caveat that I'm aware of with JCaptcha is that it uses Java
> imaging libraries that use the GraphicsContext class. This will
> sometimes cause Tomcat to crash on servers that are running "headless"
> unless the Java runtime environment has been told specifically that it
> is running headless. This can be done by passing -Dawt.headless=true
> to the JVM. Once that is done, JCaptcha works really nicely in a
> headless server environment.

There are lots of areas for improvement in Roller's comment
auth/validation. We need to make it more pluggable, we need to provide
an option for OpenID, etc.

I'd like to see a JCaptcha plugin for Roller and at one time one
existed. However, we cannot distribute JCaptcha with Roller because it
has an LGPL license which is incompatible with Apache policy.

- Dave

Mime
View raw message