Sunday, July 11, 2010

The Template Designer, And Browser Security Settings

One of the most exciting features of the Template Designer is the Live Preview.

As you change any blog template setting using the Designer wizard, in the upper pane, you immediately see the effect of the change in the lower pane. That is the intended effect, when the wizard works.

The Template Designer, as most Blogger blog maintenance wizards, runs in "Blogger.com". The live preview window, however, runs in the domain where the blog is published. This requires that both "blogger.com" and the blog domain have trusted status, and causes a vulnerability called cross-site scripting.

Blogs that are published to BlogSpot require XSS permitted to "blogspot.com", and blogs that are published to custom domains require XSS permitted to the domain URL.

Anybody with any serious concern for security permits neither, without careful consideration.

If your browser is Firefox, and you use NoScript for add-on security, you'll do an "Unsafe Reload", if you want your Live Preview to work. You do the "Unsafe Reload" from the NoScript XSS submenu, either from the status bar NoScript icon, or from the XSS alert bar which NoScript adds at the top of the browser window.

When you select "Unsafe Reload", you'll get a popup warning, with the option "Don't display this warning again". If you select that option, the "Unsafe Reload" should be expected to run, next time, without showing a warning. In some cases, though, after you select "Don't display this warning again", the "Unsafe Reload" icon will not be displayed again. This will leave you unable to run "Unsafe Reload", the next time that you start the Template Designer.

Internet Explorer uses a Zone security. You will have to designate the domain where your blog is hosted as being in the Trusted Zone, then ensure that XSS is permitted for Trusted Zone domains.

Cross Site Scripts are a problem that's sort of unique to the Template Designer wizard. There are many other security problems, though, that the Template Designer wizard shares with several other Blogger features - like Blogger login, Commenting, and Stats. Cross Side Script filters affect scripts, as Third Party Cookie filters affect cookie access.

URL changes - from "blogspot.com" to a custom domain, and from "blogspot.com" to a country code alias - will cause problems with any domain based filters. Cross side script filters will be domain specific - and any filter which references "blogspot.com" will need to similarly reference any non "blogspot.com" domain to which your computer is subject.

Layered security must be properly setup on your computer and network, if you wish to use Blogger effectively.

>> Top

2 comments:

pcd2k said...

I'm not certain I like this new feature. I had a play round with a little while ago and although I didn't (intentionally) make any changes, my blog loads for a few days after that behaved weirdly. Like my header graphic seemed to go missing for a couple of days and some of my widgets seemed to have disappeared. But lucky for me, my blog loads settled back to where things were meant to be eventually.

Dubie said...

Browser is FireFox, however at the time NoScript was disabled. At any rate, I feel that you understand what the symptom of the glitch is precisely in that Live Preview stopped working and as well the ability to change templates too

Robert