Skip to main content

The Template Designer, And Browser Security Settings

One of the most exciting features of the Template Designer is the Live Preview.

As you change any blog template setting using the Designer wizard, in the upper pane, you immediately see the effect of the change in the lower pane. That is the intended effect, when the wizard works.

The Template Designer, as most Blogger blog maintenance wizards, runs in "Blogger.com". The live preview window, however, runs in the domain where the blog is published. This requires that both "blogger.com" and the blog domain have trusted status, and causes a vulnerability called cross-site scripting.

Blogs that are published to BlogSpot require XSS permitted to "blogspot.com", and blogs that are published to custom domains require XSS permitted to the domain URL.

Anybody with any serious concern for security permits neither, without careful consideration.

If your browser is Firefox, and you use NoScript for add-on security, you'll do an "Unsafe Reload", if you want your Live Preview to work. You do the "Unsafe Reload" from the NoScript XSS submenu, either from the status bar NoScript icon, or from the XSS alert bar which NoScript adds at the top of the browser window.

When you select "Unsafe Reload", you'll get a popup warning, with the option "Don't display this warning again". If you select that option, the "Unsafe Reload" should be expected to run, next time, without showing a warning. In some cases, though, after you select "Don't display this warning again", the "Unsafe Reload" icon will not be displayed again. This will leave you unable to run "Unsafe Reload", the next time that you start the Template Designer.

Internet Explorer uses a Zone security. You will have to designate the domain where your blog is hosted as being in the Trusted Zone, then ensure that XSS is permitted for Trusted Zone domains.

Cross Site Scripts are a problem that's sort of unique to the Template Designer wizard. There are many other security problems, though, that the Template Designer wizard shares with several other Blogger features - like Blogger login, Commenting, and Stats. Cross Side Script filters affect scripts, as Third Party Cookie filters affect cookie access.

URL changes - from "blogspot.com" to a custom domain, and from "blogspot.com" to a country code alias - will cause problems with any domain based filters. Cross side script filters will be domain specific - and any filter which references "blogspot.com" will need to similarly reference any non "blogspot.com" domain to which your computer is subject.

Layered security must be properly setup on your computer and network, if you wish to use Blogger effectively.

>> Top

Comments

pcd2k said…
I'm not certain I like this new feature. I had a play round with a little while ago and although I didn't (intentionally) make any changes, my blog loads for a few days after that behaved weirdly. Like my header graphic seemed to go missing for a couple of days and some of my widgets seemed to have disappeared. But lucky for me, my blog loads settled back to where things were meant to be eventually.
Dubie said…
Browser is FireFox, however at the time NoScript was disabled. At any rate, I feel that you understand what the symptom of the glitch is precisely in that Live Preview stopped working and as well the ability to change templates too

Robert

Popular posts from this blog

Custom Domain Migration - Managing The Traffic

Your blog depends upon traffic for its success.

Anything that affects the traffic to your blog, such as any change in the URL, affects the success of your blog. Publishing the blog to a custom domain, like renaming the blog, will affect traffic to your blog. The effects of the change will vary from blog to blog, because of the different traffic to every different blog.Followers. People who find your blog because of recommendations by other people.Search engines. Robotic processes which methodically surf your blog, and provide dynamic indexing to people who search for information.Subscribers. People who read your content from their newsfeed reader, such as the dashboard Reading List.Viewers. People who read your content from their browser.No two blogs are the same - and no two blogs will have the same combinations of traffic sources.

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.