Print

Print


But, when setting Opera to mask as Firefox (or IE) to get in, everything
works perfectly. So I suspect that it's not an actual incompatibility
but an assumed incompatibility. For example, I know the myUVM content
page used to assume Opera couldn't handle inline frames.

Anyway, I've looked at clientsniffer.js and all it does is create an
extraordinary number of variables containing true or false for browsers
and versions (i.e. is_ie4). There's no code to actually create a
message. So that warning must be coming from another script that's using
those variables.

On 2/19/2010 11:55 AM, Paul T Webb wrote:
> clientsniffer.js is a vendor supplied file.  The test portal is a
> slightly newer release of Luminis undergoing evaluation and I'll try
> to find out if there's any real reason why it's not supporting Opera.
> It works with the current version running on myUVM and I haven't heard
> of any issues.  It's possible that there are some incompatibilities
> with Luminis components we're not using (such as a legacy Sun email
> and calendaring application, course management, chat, etc).  If
> anything, the rather rude (and grammatically incorrect) message it
> presents when using Opera should be toned down.
>
> For the IE 'Insecure Content' issue, there's a FAQ on the help tab
> that shows a workaround.  This is usually caused by embedding remote
> images into the channel content.  Anything served by our servers
> should already be https, but maybe the portal content folks can double
> check (and look at the WCAX issue as well).
>
> For reference, our current portal browser usage is:
>  Firefox  37.57%
>  Safari   36.92%
>  IE       20.72%
>  Chrome    4.36%
>  Opera     0.13%
>
> Paul
>
> On 2/19/2010 11:08 AM, Tyler Whitney wrote:
>> Meant to be on list for everyone's info.
>>
>> -------- Original Message --------
>> Subject: 	Re: myUVM portal password storage
>> Date: 	Fri, 19 Feb 2010 11:08:10 -0500
>> From: 	Tyler Whitney <[log in to unmask]>
>> To: 	Keith Kennedy <[log in to unmask]>
>>
>>
>>
>> I noticed that most of the browser detection is done in the
>> Javascript file here: https://myuvm.uvm.edu/js/clientsniffer.js based
>> on the source code of the login page. Perhaps some Javascript editing
>> there to flag the browser differently?
>>
>> I didn't fine-tooth over the code, and I didn't see if it was a
>> luminis made file or a uvm made one. Its been awhile since I've
>> looked at the actual backend of portal stuff, but I remember it used
>> to have serious issues with IE7 when it came out. Now it seems to
>> work just fine, I doubt (and no offense to Rudy) that many people use
>> Opera... but it is a larger contender considering other smaller
>> browsers.
>>
>> My only complaint with the portal is the HTTPS errors that come about
>> in IE8... the new IE messages that warn users about data being served
>> insecurely when on a secure site asks you to click NO if you want to
>> show all data and YES to show only the secure ones... I find many
>> people end up clicking YES without looking and it makes things look
>> funny or not show up. I would edit links to anything using HTTP and
>> make it served up with HTTPS to make things work a little smoother.
>> Happens immediately after logging in.
>>
>> Oh, and whats with the "<STRONG>More local stories from <FONT
>> color=#ff0000>Vermont&#39;s Own&nbsp;WCAX-TV News.</FONT> </STRONG>"
>> code being displayed under WCAX Local News instead of actually
>> parsing the html?
>>
>> Tyler
>>
>> On 2/19/2010 9:35 AM, Keith Kennedy wrote:
>>> Hi Rudy,
>>>
>>> Well, it's a purchased package (portal = luminis), and if it has a
>>> hard-coded list of what it considers
>>> vulnerable browsers, we may or may not be able to convince it otherwise.
>>> I'm surprised that the app even tries to make that judgment.
>>> As far as the relative security/reliability of browsers...
>>> we are certainly not knowledgeable in that area.
>>>
>>> I hope this off-list approach is OK. Reply all is appreciated.
>>> Several of us are involved in one way or another
>>> and it's good to share what test/results we are seeing...
>>>
>>> Thanks again.
>>>
>>> - Keith
>>>
>>>
>>>
>>> On 2/19/2010 9:14 AM, Rudy Raab wrote:
>>>> Well, I've found a flaw on your test system. It blocks Opera with
>>>> the message "The Opera browser you are using has a various serious
>>>> security defects and is not allowed to be used with this
>>>> application." That's a little strange since Opera 10.0 and above
>>>> have a grand total of zero open vulnerabilities (according to
>>>> Secunia). And if it's talking about DEP and ASLR, Opera's supported
>>>> those since 9.64. I think your browser detection system needs to be
>>>> updated.
>>>>
>>>> And after having Opera 10.5 beta and 10.1 stable mask themselves as
>>>> Firefox to get in, they both still prompt to remember the password.
>>>> But Chrome and Firefox now do not prompt. Perhaps Opera's
>>>> strangeness is due to it using not auto-complete, but its own
>>>> actual password manager with form-filling and such.
>>>>
>>>> Anyway, at least FF and Chrome are fixed.
>>>>
>>>> And this off-list reply is a little strange, but I've hit reply all
>>>> so everyone gets my message.
>>>>
>>>> On 2/19/2010 8:25 AM, Paul T Webb wrote:
>>>>> I've tried to exorcise some of the evilness by making a change to
>>>>> the login page of our test Luminis system,
>>>>> https://portaldev.uvm.edu  (added 'autocomplete="off"' to the form).
>>>>>
>>>>> With this change, neither Firefox nor Chrome will offer to save my
>>>>> password.  Same with IE8, but it already didn't before I made the
>>>>> change.
>>>>>
>>>>> Could you folks do some testing as well?
>>>>>
>>>>> To the bigger question -- is this the change we want to make,
>>>>> versus allowing the username to be stored as well?  I think not,
>>>>> given that access to the portal also allows single sign-on to
>>>>> several other system.  Comments from the Security Team, Don?
>>>>>
>>>>> Thanks,
>>>>> Paul
>>>>>
>>>>>
>>>>> On 2/18/2010 8:17 PM, Rudy Raab wrote:
>>>>>> Don't take my "evil" thing seriously. I call everything evil at
>>>>>> least once in my life. I know it's not intentional design, just a
>>>>>> mistake. And I'll help with browser testing of any modifications
>>>>>> made to the page.
>>>>>>
>>>>>> And thank you for taking the time to look at the page.
>>>>>>
>>>>>> On 2/18/2010 4:10 PM, Keith Kennedy wrote:
>>>>>>> Hey hey hey!
>>>>>>> ...evil luminis.... really.
>>>>>>>
>>>>>>> Yes, this is "mostly" a browser issue.
>>>>>>> But I know there are directives that can be added to html to
>>>>>>> help browsers make good decisions about whether or not to
>>>>>>> helpfully offer to remember what you typed last time.
>>>>>>> We will review this page and see if we can make it NOT offer to
>>>>>>> remember passwords.
>>>>>>>
>>>>>>> - Keith
>>>>>>>
>>>>>>> On 2/18/2010 3:57 PM, Rudy Raab wrote:
>>>>>>>> That might be why Chrome can't put the password in. It's trying
>>>>>>>> to use the hidden input box. And isn't it bad HTML practice to
>>>>>>>> use the same name on different tags?
>>>>>>>> But whatever. At least now we know we can blame the evil
>>>>>>>> Luminis Platform for all the problems. :)
>>>>>>>>
>>>>>>>> On 2/18/2010 1:22 PM, Tyler Whitney wrote:
>>>>>>>>> I think this is simply the nature of the Luminis Platform, the
>>>>>>>>> vendor of the MyUVM portal. In my experience at other
>>>>>>>>> universities the portal reacted the same way... especially
>>>>>>>>> when building in ports to the university's other services,
>>>>>>>>> because of single-sign-on authentication. It is pretty tricky.
>>>>>>>>> There shouldn't be anything very special about the input
>>>>>>>>> fields per se that would make the browsers react differently.
>>>>>>>>> However, looking at the code it may be simply because AFTER
>>>>>>>>> the login box is displayed there is a hidden field with the
>>>>>>>>> SAME name of the user field that is default to "" an empty
>>>>>>>>> string. See:
>>>>>>>>>
>>>>>>>>> <form name="userid" onSubmit="xferFocus(this); return false;">
>>>>>>>>> <dl>
>>>>>>>>> <dt><label for="user" accesskey="u"><abbr title="University of
>>>>>>>>> Vermont">UVM</abbr> Net<abbr
>>>>>>>>> title="identification">ID</abbr>:</label></dt>
>>>>>>>>> <dd><input type="text" id="user" name="user" class="textform"
>>>>>>>>> tabindex="1" /></dd>
>>>>>>>>> </dl>
>>>>>>>>> </form>
>>>>>>>>> <form name="cplogin"
>>>>>>>>> action="https://myuvm.uvm.edu/cp/home/login"
>>>>>>>>> onSubmit="login(); return false;" method="post">
>>>>>>>>> <dl>
>>>>>>>>> <dt><label for="pass" accesskey="p">Password:</label></dt>
>>>>>>>>> <dd><input type="password" id="pass" tabindex="2" name="pass"
>>>>>>>>> class="textform" /></dd>
>>>>>>>>>
>>>>>>>>> --------------------------------------
>>>>>>>>>
>>>>>>>>> <dd> <input type="hidden" name="user" value=""></dd>
>>>>>>>>> --------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> </dl>
>>>>>>>>> </form>
>>>>>>>>>
>>>>>>>>> My guess is that has something to do with it... but also there
>>>>>>>>> is tons of Javascript that manage what browser is being used,
>>>>>>>>> the cache/cookies... so it could be any number of things.
>>>>>>>>>
>>>>>>>>> And I don't really know much about the Luminis portal software
>>>>>>>>> anyway.
>>>>>>>>>
>>>>>>>>> Tyler
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 2/18/2010 12:21 PM, Rudy Raab wrote:
>>>>>>>>>> My initial thoughts would be that it's a quirk of the page. I
>>>>>>>>>> believe browsers use a sort of code-detection know that the
>>>>>>>>>> box in question is a username or password box. Perhaps the
>>>>>>>>>> NetID box is a little quirky and browsers can't recognize it
>>>>>>>>>> as username input. Though that doesn't entirely explain
>>>>>>>>>> Chrome's issue. And it doesn't explain why it used to be the
>>>>>>>>>> other way around. So I'm not sure.
>>>>>>>>>>
>>>>>>>>>> This is one of the reasons I rarely visit myUVM. And normally
>>>>>>>>>> Opera's password-remembering is unbeatable-- I can never get
>>>>>>>>>> Firefox or IE to remember my password on Blackboard,
>>>>>>>>>> strangely enough, but Opera's always handled it with no problem.
>>>>>>>>>>
>>>>>>>>>> Hopefully someone handling the myUVM page is watching this
>>>>>>>>>> list...
>>>>>>>>>>
>>>>>>>>>> On 2/18/2010 12:01 PM, Jarlath O'Neil-Dunne wrote:
>>>>>>>>>>>
>>>>>>>>>>> Thanks Rudy, I should have been more clear, it is Firefox
>>>>>>>>>>> that stores the password.  Just wondering why myUVM allows
>>>>>>>>>>> the password to be stored, not the Net ID.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> /Jarlath O'Neil-Dunne/
>>>>>>>>>>>
>>>>>>>>>>> /Geospatial Analyst/
>>>>>>>>>>>
>>>>>>>>>>> /University of Vermont/
>>>>>>>>>>>
>>>>>>>>>>> /Spatial Analysis Laboratory/
>>>>>>>>>>>
>>>>>>>>>>> /802.656.3324/
>>>>>>>>>>>
>>>>>>>>>>> http://www.uvm.edu/~joneildu <http://www.uvm.edu/%7Ejoneildu>
>>>>>>>>>>>
>>>>>>>>>>> *From:* Technology Discussion at UVM
>>>>>>>>>>> [mailto:[log in to unmask]] *On Behalf Of *Rudy Raab
>>>>>>>>>>> *Sent:* Thursday, February 18, 2010 11:57 AM
>>>>>>>>>>> *To:* [log in to unmask]
>>>>>>>>>>> *Subject:* Re: myUVM portal password storage
>>>>>>>>>>>
>>>>>>>>>>> I believe that it is the browser storing the password, not
>>>>>>>>>>> the site. I do not see any check box or option to save the
>>>>>>>>>>> password on the site itself-- only my particular browser's
>>>>>>>>>>> option. And myUVM has always been messed up in the
>>>>>>>>>>> password-remembering compatibility department. It used to be
>>>>>>>>>>> the other way around, e.g. it would save the netID but not
>>>>>>>>>>> the password.
>>>>>>>>>>>
>>>>>>>>>>> And I've also not only confirmed the problem in Firefox 3.6
>>>>>>>>>>> and Opera 10.5(beta), but also noticed different issues on
>>>>>>>>>>> these browsers:
>>>>>>>>>>> Google Chrome: prompts to remember the password, but doesn't.
>>>>>>>>>>> IE8: never prompts at all.
>>>>>>>>>>>
>>>>>>>>>>> On 2/18/2010 10:35 AM, Jarlath O'Neil-Dunne wrote:
>>>>>>>>>>>
>>>>>>>>>>> I noticed that myUVM portal will store my password (if I
>>>>>>>>>>> allow it), but not my Net ID.  This seems to be a bit
>>>>>>>>>>> backwards.  Would it not be less risky to have things the
>>>>>>>>>>> other way around?  Tested on Firefox.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>> /Jarlath O'Neil-Dunne/
>>>>>>>>>>>
>>>>>>>>>>> /Geospatial Analyst/
>>>>>>>>>>>
>>>>>>>>>>> /University of Vermont/
>>>>>>>>>>>
>>>>>>>>>>> /Spatial Analysis Laboratory/
>>>>>>>>>>>
>>>>>>>>>>> /802.656.3324/
>>>>>>>>>>>
>>>>>>>>>>> http://www.uvm.edu/~joneildu <http://www.uvm.edu/%7Ejoneildu>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> ---
>>>>>>>>>>> Rudy Raab
>>>>>>>>>>> UVM Student
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> ---
>>>>>>>>>> Rudy Raab
>>>>>>>>>> UVM Student
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Tyler Whitney
>>>>>>>>> IT Support Specialist
>>>>>>>>> Department of Residential Life
>>>>>>>>> The University of Vermont
>>>>>>>>> Robinson Hall, 406 South Prospect Street
>>>>>>>>> Burlington, VT 05405-0364
>>>>>>>>>
>>>>>>>>> Phone: (802)656-7937; Fax: (802)656-1142; Cell: (518)335-3196
>>>>>>>>> E-mail:[log in to unmask]
>>>>>>>>>
>>>>>>>>> Staff IT Line; (805)656-7934
>>>>>>>>> Submit a Footprint;http://reslife.uvm.edu/staffit
>>>>>>>>> Submit a Website Issue/Problem;http://reslife.uvm.edu/bugs
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> ---
>>>>>>>> Rudy Raab
>>>>>>>> UVM Student
>>>>>>>>
>>>>>>
>>>>>> --
>>>>>> ---
>>>>>> Rudy Raab
>>>>>> UVM Student
>>>>>>
>>>>>
>>>>> --
>>>>> *Paul T. Webb*
>>>>> Database Administrator and maintainer of the slightly naughty
>>>>> Luminis Platform
>>>>> University of Vermont
>>>>> 19 Roosevelt Highway, Suite 200
>>>>> Colchester, VT 05446
>>>>> (802)656-0249
>>>>> [log in to unmask]
>>>>>
>>>>
>>>> --
>>>> ---
>>>> Rudy Raab
>>>> UVM Student
>>>>
>>
>> --
>>
>> Tyler Whitney
>> IT Support Specialist
>> Department of Residential Life
>> The University of Vermont
>> Robinson Hall, 406 South Prospect Street
>> Burlington, VT 05405-0364
>>
>> Phone: (802)656-7937; Fax: (802)656-1142; Cell: (518)335-3196
>> E-mail:[log in to unmask]
>>
>> Staff IT Line; (805)656-7934
>> Submit a Footprint;http://reslife.uvm.edu/staffit
>> Submit a Website Issue/Problem;http://reslife.uvm.edu/bugs
>>
>>
>
> --
> *Paul T. Webb*
> Database Administrator
> University of Vermont
> 19 Roosevelt Highway, Suite 200
> Colchester, VT 05446
> (802)656-0249
> [log in to unmask]
>

--
---
Rudy Raab
UVM Student