Skip to main content

The Template Designer, And Browser Security Settings

One of the most exciting features of the Template Designer is the Live Preview.

As you change any blog template setting using the Designer wizard, in the upper pane, you immediately see the effect of the change in the lower pane. That is the intended effect, when the wizard works.

The Template Designer, as most Blogger blog maintenance wizards, runs in "Blogger.com". The live preview window, however, runs in the domain where the blog is published. This requires that both "blogger.com" and the blog domain have trusted status, and causes a vulnerability called cross-site scripting.

Blogs that are published to BlogSpot require XSS permitted to "blogspot.com", and blogs that are published to custom domains require XSS permitted to the domain URL.

Anybody with any serious concern for security permits neither, without careful consideration.

If your browser is Firefox, and you use NoScript for add-on security, you'll do an "Unsafe Reload", if you want your Live Preview to work. You do the "Unsafe Reload" from the NoScript XSS submenu, either from the status bar NoScript icon, or from the XSS alert bar which NoScript adds at the top of the browser window.

When you select "Unsafe Reload", you'll get a popup warning, with the option "Don't display this warning again". If you select that option, the "Unsafe Reload" should be expected to run, next time, without showing a warning. In some cases, though, after you select "Don't display this warning again", the "Unsafe Reload" icon will not be displayed again. This will leave you unable to run "Unsafe Reload", the next time that you start the Template Designer.

Internet Explorer uses a Zone security. You will have to designate the domain where your blog is hosted as being in the Trusted Zone, then ensure that XSS is permitted for Trusted Zone domains.

Cross Site Scripts are a problem that's sort of unique to the Template Designer wizard. There are many other security problems, though, that the Template Designer wizard shares with several other Blogger features - like Blogger login, Commenting, and Stats. Cross Side Script filters affect scripts, as Third Party Cookie filters affect cookie access.

URL changes - from "blogspot.com" to a custom domain, and from "blogspot.com" to a country code alias - will cause problems with any domain based filters. Cross side script filters will be domain specific - and any filter which references "blogspot.com" will need to similarly reference any non "blogspot.com" domain to which your computer is subject.

Layered security must be properly setup on your computer and network, if you wish to use Blogger effectively.

>> Top

Comments

Unknown said…
I'm not certain I like this new feature. I had a play round with a little while ago and although I didn't (intentionally) make any changes, my blog loads for a few days after that behaved weirdly. Like my header graphic seemed to go missing for a couple of days and some of my widgets seemed to have disappeared. But lucky for me, my blog loads settled back to where things were meant to be eventually.
Robert Duberg said…
Browser is FireFox, however at the time NoScript was disabled. At any rate, I feel that you understand what the symptom of the glitch is precisely in that Live Preview stopped working and as well the ability to change templates too

Robert

Popular posts from this blog

Adding A Link To Your Blog Post

Occasionally, you see a very odd, cryptic complaint I just added a link in my blog, but the link vanished! No, it wasn't your imagination.

Embedded Comments And Main Page View

The option to display comments, embedded below the post, was made a blog option relatively recently. This was a long requested feature - and many bloggers added it to their blogs, as soon as the option was presented to us. Some blog owners like this feature so much, that they request it to be visible when the blog is opened, in main page view. I would like all comments, and the comment form, to be shown underneath the relevant post, automatically, for everyone to read without clicking on the number of comments link. And this is not how embedded comments work.

What's The URL Of My Blog?

We see the plea for help, periodically I need the URL of my blog, so I can give it to my friends. Help! Who's buried in Grant's Tomb, after all? No Chuck, be polite. OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".