Are widgets secure?

There's all this stuff about Cross-site scripting & that the Javascript in a widget can read
a lot of details of your site.
If you place content - such as your gallery on your secure dotmac page
& drive it in a wide open website...
Are you being compromised when using adsense, etc?

Ultimately it is the webpage in a browser that makes it secure or insecure.
It's not code by iWeb, but by Google adsense. You add it to iWeb. iWeb stores it on the server.
The widgets would be as (in)secure when you had typed the pages in texteditor and added the code yourself.
The browser is responsible for preventing cross-scripting.
You always see security issues in browsers, not in HTML Editors of any kind.

Similar Messages

  • Are widgets no longer part of Mavericks ?

    Not only can I not enjoy my RSS screensavers anymore, but I've just discovered, upon finding my default translation widget is incorrect, I cannot download widgets anymore. Mavericks is one disappointment after another. What are my alternatives ? Are widgets being phased out for the app store ? I miss Mr. Jobs...

    I went to the Apple site widgets page, found a widget called, "Translate," and downloaded it (https://www.apple.com/downloads/dashboard/travel/translate_jeroenwielandt.html). Upon opening it from my downloads folder, I get the prompt, " 'Translate' can't be opened because it is from an inidentified developer. Your security preferences allow installation of only apps from the Mac App Store and identified developers,"
    Am I stuck finding this type of program as an app ? I enjoy the ease of switching between my widgets and my homescreen, but now that Mavericks has added... for lack of a better word than 'junk,' I'll say Mavericks has added more 'options,' I'll just have to purchase and add to my clutter a translation app from the store and switch between using my widgets page, my homescreen and second, third and fourth desktops that keep appearing. It's quite disappointing if this is my option.

  • Office 2013: where the heck are the security updates hiding?

    I built a deployment for Office 2013 yesterday.  The source files were downloaded from Microsoft, with SP1 integrated.  This is *not* a "Click to Run" deployment.  I used the Office Customization Tool to make a few changes (we're
    not using OneDrive, so that piece isn't getting installed.  I disabled the "First Run" and Customer Experience stuff, and disabled RSS Feeds and SharePoint integration.  And I put in our volume license key.  Overall it's a pretty vanilla
    build.)
    I wanted to include all available security updates since SP1 has been released, and stick them into the "Updates" folder of my deployment.  So after I installed Office 2013 x64 on my Windows 7 x64 system (the base package that I built installs
    just fine), I went to Windows Update to see what was available.  There is nothing there.  I rebooted, and tried again.  Still nothing.  If I go into one of the Office 2013 apps, and go to File -> Account, I do *not* have any "Update"
    buttons or options.
    If I go to Windows Update in my Control Panel, and click "Change Settings", I have two things checked.  "Give me recommended updates the same way I receive important updates", and "Allow all users to install updates on this
    computer."  There are no other options to look for alternative Microsoft products, or at least no options that I can find.  This is Windows 7 x64 SP1, fully patched.
    I know that there have been security updates released for Office 2013 since SP1 came out in February 2014.  I manually downloaded a security patch for Lync 2013, and installed that MSP onto this test system with no
    issues.  So there are applicable security updates out there.  So why in the world can't I find the updates through the normal mechanisms?  Ideally, we'd want for end users to be able to install security updates manually in an
    emergency, but either I'm missing something, or that is not possible in Office 2013.  Hopefully distributing Office 2013 updates through SCCM will work, but from what I'm seeing so far, I'm not sure the machines will be "detected" as having
    Office 2013, because right now it can't even scan itself against Windows Update for that product.
    Thanks for any input...I'm quite baffled at how the update routine is supposed to be functioning in Office 2013.  I think the missing link is why I can't choose to search for "other" Microsoft products from the Windows Update panel. 
    The option/checkbox is totally gone.

    Hi,
    By default Windows Update only updates Windows itself. To get updates for Office and for any other Microsoft products as well, you will need to upgrade your Windows Update to Microsoft Update.
    On Windows Update panel, click "Find out more" link to install Microsoft Update.
    Hope this helps.
    Thanks,
    Ethan Hua CHN
    TechNet Community Support

  • What are the security settings to lock down a form with fillable fields and yet allow someone with Reader to fill in the fields as will as save the form and print it?

    What are the security settings to lock down a form with fillable fields and yet allow someone with Reader to fill in the fields as will as save the form and print it?

    You want to allow someone to open your document and fill out the form (in the fields you have created), but not change or edit the form, right? Here's the answer - assuming you are using Acrobat Pro and someone will be opening the PDF using at least Acrobat Reader 9 and up:
    Tools > Protection > Encrypt < Encrypt with Password
    Answer YES to change the security.
    A new window opens:
         Do NOT select Document Open (or that will require a password to open the document.)
         Select: Permissions (Check the box next to "Restrict editing and printing of the document.")
         Change the following 2 settings from the drop-down box:
              Printing Allowed: Select High Resolution
              Changes Allowed: Select Commenting, filling in form fields, and signing signature fields
              Leave selected: "Enable text access for screen reader devices for the visually impaired"
              Change Permissions Password (insert a strong password)
              Leave all other settings alone in "Options"
              OK - OK
              Re-enter the Permissions Password (the one you entered above)
              OK - OK
              Save the PDF to apply the security [notice that (SECURED0 will appear after the document title]

  • Flash Builder 4 - design view - states basedOn + design area widget

    Hello,
    Since i updated my project from Flex 3 to Flash Builder (4), i have very annoying issues in the design area.
    The one in Flex 3 was quite usefull, but the new version is not easy, and straight forward usable.
    Here are the 3 issues:
    - when i have states designed from another one, i use the basedOn mxml attribute, which was used in Flex 3  and still exist in SDK 4 states system.
    But the designer view in Flash Builder don't take those basedOn properties in account!
    What can i do? and is it a known bug?
    -  When i have at least one precific state, i must define a defautl state, in the new SDK. Ok, but in design view, i cant add a new component without making the change only for one state. I can only make the change for the default state, but it will not be taken in account for all the other states, like i can do in Flex 3.
    What i want to be able to do this: making changes in design view without selecting ANY state.
    Is it possible? How can i do?
    - In flex 3, there were a design area widget to select the resolution used for the preview design.
    It was very usefull when the application has very dynamic width and height.
    In Flash Builder, this widget has been removed.
    Why has it been removed? and how can i preview my mxml views wihtout changing width and height values?
    Thanks.
    Seb

    The update has been improved in every other areas, so it is not that much important.
    I just hope that the new release will fix that (as it has been answered to my post).
    The only thing i don't like in new releases of FB is that when the architecture of SDK is aimed to seperate the work between design and code, they focused only on catalyst to create the tools to manipulate design, and they forgot to keep an easy way to do design app directly in FB (with the design view and the style properties of MXML in FB3). But i'm confident that they will give such a tool soon.
    But for now, if you don't like the restriction of the new release, you can continue to work with Flex 3 for 0$! And even in Flex 4, you can create MX components for which the design view will work as before. The fact that tools can manage a mix between MX and Spark components is a great thing. It is up to you to choose which you need which its own advantages and drawbacks.
    Xcode is real pain to use with outdated ergonomy. It is only usefull to code in Objective C which is another real pain to do.
    XCode can be cheapper because all Apple products are quite expansive, so the software to create softwares for them can be much more cheapper.
    And Apple get a good revenue share from AppStore, so again they can give a cheap soft to create apps. You also have to pay 100$ to be able to send app to appstore, in ly opinion the good price for XCode should be 0$, not even 80$!
    Flash builder 4 is very stable, but if you don't like it, you can choose another tool. Main competitor has no designer at all!

  • What are the security implications of having JAVA running on my Mac Book Pro?

    What are the security implications of having JAVA running on my Mac Book Pro?

    Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.
    Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.
    Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers.
    Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.

  • What are the security risks for opening port 80 on workstations?

    Hello all,
    in our environment, there is an application which open port 80 on workstations when installed, but it is not allowed on preimeter FW
    could you please advise what are the security risks for leaving port 80 opened on the workstations? or it is considered secure unless it is not allowed on the preimeter FW?
    thanks alot & regards

    Hi R.Naguib.
    The 80 port is open by default through the firewall on Windows system, it is used by a http protocol by a browser.
    As for the network or hardware Firewall settings, I suggest to turn to the network administrator for details.
    Regards
    Wade Liu
    TechNet Community Support

  • What Are the Security Implications of not Completely Signing Database?

    Hello everyone,
    What are the security implications of not completely signing the database?
    From http://www.archlinux.org/pacman/ ,
    The following quote implies that the database exists merely just in case hand tweaking is necessary:
    maintains a text-based package database (more of a hierarchy), just in case some hand tweaking is necessary.
    However, considering that there are cases that pacman's local database needs to be restored, there are implications that the database is essential for pacman to function properly.
    From https://wiki.archlinux.org/index.php/Ho … l_Database :
    Restore pacman's local database
    Signs that pacman needs a local database restoration:
    - pacman -Q gives absolutely no output, and pacman -Syu erroneously reports that the system is up to date.
    - When trying to install a package using pacman -S package, and it outputs a list of already satisfied dependencies.
    - When testdb (part of pacman) reports database inconsistency.
    Most likely, pacman's database of installed software, /var/lib/pacman/local, has been corrupted or deleted. While this is a serious problem, it can be restored by following the instructions below.
    I know that all official packages (from core, extra, community, etc.) are signed so that all files should be safe, but I'm just paranoid.
    What if the database was hacked?  Will this lead to installation of harmful software?
    Sincerely,
    Cylinder57
    Last edited by Cylinder57 (2012-10-15 03:42:31)

    Cylinder57 wrote:
    From this quote:
    Allan wrote:But, the OP (also?) talks about the local package database on his computer.  That is not signed at all as there is no point.  If someone can modify that, then they can regenerate the signature, or just modify any other piece of software on your computer.
    Is it going to be easy for anyone other than the authorized user to modify the local package database?
    Allan basically answered that with the quote above already as I understand it. Someone who has access to the installation, e.g. is able chrooting your PC via USB, is not held back by any ACLs. However, modifying the local database only makes limited sense because the packages are already installed. Pacman would only recheck, if you re-install a package. The only really relevant attack vector for the package database is
    (1) installing an older package with a vulnerability,
    (2) re-placing the up-to-date package sig in the local database with the older one and
    (3) modifying the system, e.g. via pacman.conf excludes, to not update that.
    then also re-installing would not create a sig-error and you get stuck with the bogus old package.
    With a signed database this would not be possible. However, as Allan wrote earlier also with a signed database that criminal can manually install (totally leaving pacman & package cache) whatever it needs in this scenario. So, if you are -really- paranoid about that, you probably want to spend (a lot of configuring) time with something like the "aide" package.
    Cylinder57 wrote:
    And, are the following statements correct:
    If the repository databases are modified, the hacker might be able to modify the packages on the server (Considering that if someone can modify the local package database, that person can modify any other piece of software on that particular computer.)
    However, pacman won't let users from installing the modified packages (due to package signing,) unless at one person with access is bribed (at least, for an individual package.)
    I don't know the intricacies of the server infrastructure - only saw they have great names :-), but I am pretty certain your statements assume that correctly. It is pretty unlikely that someone able to modify the central repository database fails at placing a bogus package for shipping with those access rights at this time. Yet it does no harm not to post any details of such a scenario here imo. In any case: A compromised mirror would be enough for that - and easier to achieve (hacked anywhere or e.g. in a non-democratic state). Plus you also answered it yourself. The keys are key for our safety there. Which keeps me hoping that no criminal lawnmover salesmen frequent the Brisbane area.
    As you put up a thread about this, one question you can ask yourself is:
    Have you always checked on updates new signatures keys which pacman asks about? If you ever pressed "accept/enter" without checking them out-of-band (e.g. the webserver), that compromised mirror database might have just created a "legitimate" key .. user error, but another attack vector the database signing would catch.
    edit: Re-thinking the last paragraph just after posting, I now believe it would not be that easy as implied - simply because the bogus key is not trusted by one of the master keys. The pacman pgp trust model should catch that without database signing. At least it would if only the official repositories are activated, but that's a pre-requisite to the whole thread.
    Last edited by Strike0 (2012-10-20 23:01:26)

  • What are the security post refresh procedures in general?

    Hi,
    Can anyone list me out What are the security post refresh procedures in general?
    Thanks and Regards,
    Damanaidu J

    >
    Damanaidu jawaharlal wrote:
    > Hi,
    >
    > Can you cite with respect to CUA.
    >
    > Thanks and Regards,
    > Damanaidu J
    CUA
    ====
    CUA behaves differently during a system/client copy and this is the approach we took and it was successful.  The goal is to take a backup of the source before CUA deletion then restore. Do not delete CUA and just attempt to rebuild it, all the roles will be gone.  Backup and restore will be the approach I recommend.
    a1.  Take a snap shot of your QA user and role assignments before copy.
    1.  (Basis) First make a backup of the source system.  This is important before step 2.
    2.  After successful backup delete the CUA from the source system. 
    3.  After successful copy to target system, restore backup to source system.
    4.  Depending how the copy was done, users and passwords should be in the target system but all the role assignments will be gone. 
    5.  Start assigning roles base on your requirements.  If you need to restore the old QA settings that is captured in a1.
    Perhaps others can add in other steps I might have missed.
    Good Luck!

  • WCP Framework 11g and SES 11g : search results are not secured

    Hello,
    We are integrating WCP 11.1.1.6 and SES 11.1.2.2
    we have quite a stunning issue here where the search results returned by a WCP Framework application are not secured, ie secured contents are returned in the search results for unauthenticated users and for users who have no permission on these contents.
    Though, the search results are well secured in the standard SES search interface (http://seshost/search/query/).
    The main concern is about results coming from WCC.
    Thanks for any help,
    Vince

    Hi Jiri,
    we managed to integrate UCM and WCP with Document Service taskflows and it works fine, ie security is well propagated for the roles we want.
    WCC/UCM and WCP authenticate users via WLS which is connected to an AD.
    SES has its own identity management system which authenticates users directly to the AD.
    We activated the SESCrawler component in WCC/UCM and the SES/UCM crawling process is OK.
    We can search for UCM contents in SES without issue and anonymous/unauthenticated search in SES doesn't return results from non-public security groups, which is what we want.
    WCP search is connected to SES (which is the default setting), eg from adf-config.xml:
    <searchC:adf-search-config xmlns="http://xmlns.oracle.com/webcenter/search/config">
    <display-properties>
    <common numSavedSearches="5" />
    <region-specific>
    <usage id="simpleSearchResultUIMetadata" numServiceRows="5" />
    <usage id="searchResultUIMetadata" numServiceRows="5" />
    <usage id="localToolbarRegion" numServiceRows="5" />
    </region-specific>
    </display-properties>
    <execution-properties timeoutMs="7000" prepareTimeoutMs="1000" />
    <crawl-properties fullCrawlInterval="P5D" enableWcServicesCrawl="true" enableWcDiscussionsCrawl="true" enableWcUcmCrawl="true" />
    <ses-properties>
    <connection>ses</connection>
    <data-group>SourceGroup</data-group>
    </ses-properties>
    </searchC:adf-search-config>
    So the problem is that anonymous/unauthenticated search in WCP does return results from non-public security groups, which is not what we want.
    eg: access to the WCP app (don't logon)
    run a search
    in the search results, you can see contents which are not assigned in the public security group. Though, the WCC/UCM guest role doesn't have any permission on these SG.
    I can't raise SR myself.
    Thanks for any help,

  • HT201178 Are there security issues with pairing keyboards with certain passkeys?

    Are there security issues with pairing keyboards with certain passkeys?

    Hello, some info on that...
    http://x704.net/bbs/viewtopic.php?f=29&t=6059&p=73599&hilit=bluetooth#p73599

  • Video calls are not secure - not showing lock icon

    Hi guys,
    Calls between 9971/8945. Video calls are not getting secured.
    video calls are not secure - not showing lock icon.
    However audio calls are secure
    CUCM Version : 8.6.2.22900-9
    1 pub and 2 sub
    Secured cluster : mixed mode
    9971 : sip9971.9-3-1-33 - running version - same issue
    9971 : sip9971.9-2-4-19 - old version - same issue
    8945 : sccp8941-8945.9-3-2-11 – Running version.
    Please suggest.
    thx
    Ashish

    Would you be able to try 9.3(2) firmware or later?  I checked with 9.4(1) and I see a lock icon when placing a video call on my 9971.  According to the new and changed information 9.3(2) added additional support for when to display the lock icon,
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/9971_9951_8961/firmware/932/release_notes/P567_BK_RD4ECA70_00_rn-9_3_2-8961-9951-9971_chapter_00.html#P567_RF_AB412E9F_00.

  • HT4009 I don't know how to download my first purchased app cuz there are some security questions

    I can't download apps from AppStore cuz there are some security questions

    The security question are part of an enhanced security policy started some weeks ago (http://www.macrumors.com/2012/04/12/apple-enhancing-apple-id-safety-by-enforcing -security-question-requirements/).

  • I am having trouble connecting to wifi networks that are password secured, even though I know the passwords.

    hey guys,
    Ok so here is the problem. I am having trouble connecting to wifi networks that are password secured. I am able to connect to public wifi with no problem, but when networks have passwords on them I am unable to connect to them, and I know that passwords. I also know that i am putting the correct passwords in because I am able to connect to the networks on my computer. I have tried turning my phone off and then back on, turning the wifi off and then back on and even resetting my network passwords to no avail. The networks that are secure show up in the wifi list for networks but when I go to put the password in, it tells me "incorrect password for the network". It has never connected to it since the passwords have been put on it. I am out of ideas for trouble shooting. Can anyone else help?!

    Try a soft reset by holding in the power button and the home button in at the same time for about 15 seconds until the screen flashes and then goes completely black. Afterwards try and turn the phone back on and see if that works. Also you could try and reset the Network Settings by going to Settings--General--Reset--Reset Network Settings and see if that resolves your problems as well. If all else fails be sure and do a backup through ITunes and then try to restore the device. Hopefully all will be well now.

  • Why is iCloud asking for apple id password? I have started using Last Pass to generate passwords that are more secure. Ideas please?

    Why is iCloud asking for apple id password? I have started using Last Pass to generate passwords that are more secure. Ideas please?
    GCG

    The iCloud password isn't saved anywhere on your device, this is the way it's supposed to work.

Maybe you are looking for