Announcing: Daz Deals Browser Add-on

11213151718100

Comments

  • jakibluejakiblue Posts: 7,281

    Ok, I went to my wishlist and hit 'email notifications' and did all that. Got the passcode, entered it along with my email address, and checked all the things I wanted - wishlist price drops, sales notifications, price drops etc. Then I hit 'save'. It still says "needs to be set up" in red letters at the top tho, so I'm not sure if it was successful or not. 

    See the attached screenshot. Should that be there still? Or does it mean it didn't work? 

    browser.jpg
    600 x 306 - 71K
  • jakibluejakiblue Posts: 7,281

    OH! I thought it was that after I had posted! :) In my defense, I am STILL not quite awake. LOL.

    However, I think I've stumbled across another problem, and not sure if it's on my side or hte store...I can't see the "hide product" on store pages. There's a blue button, but no text, and when i try to click it, nothing happens. See screenshot.

     

    Ati said:
    jakiblue said:

    edit: it said "read and change your data at daz3d.com" so I think I kinda panicked LOL. Also, what is 'civilization.com'?

    civilizationhunt.com, that's my site where you'll be getting the email notifications from. [email protected] will be the sender, if you want to whitelist it to make sure you get everything.

    (That's only if you sign up to receive notifications of your wishlisted items going on sale, of new sales starting, of the best prices etc.)

     

    bluebutton.jpg
    700 x 370 - 151K
  • AtiAti Posts: 9,078
    jakiblue said:

    Ok, I went to my wishlist and hit 'email notifications' and did all that. Got the passcode, entered it along with my email address, and checked all the things I wanted - wishlist price drops, sales notifications, price drops etc. Then I hit 'save'. It still says "needs to be set up" in red letters at the top tho, so I'm not sure if it was successful or not. 

    See the attached screenshot. Should that be there still? Or does it mean it didn't work? 

    Close that tab, and reopen it from the wishlist page. The data you entered should be filled in, and the red warning should no longer be there.

  • AtiAti Posts: 9,078
    jakiblue said:

    However, I think I've stumbled across another problem, and not sure if it's on my side or hte store...I can't see the "hide product" on store pages. There's a blue button, but no text, and when i try to click it, nothing happens. See screenshot.

    Is that happening with every product?

  • jakibluejakiblue Posts: 7,281

    Yes. I tried three random new ones, and two older ones and hte blue box is there on every page, with no text, and button does nothing when pushed.  

    Ati said:
    jakiblue said:

    However, I think I've stumbled across another problem, and not sure if it's on my side or hte store...I can't see the "hide product" on store pages. There's a blue button, but no text, and when i try to click it, nothing happens. See screenshot.

    Is that happening with every product?

     

  • AtiAti Posts: 9,078
    jakiblue said:

    Yes. I tried three random new ones, and two older ones and hte blue box is there on every page, with no text, and button does nothing when pushed.  

    Ati said:
    jakiblue said:

    However, I think I've stumbled across another problem, and not sure if it's on my side or hte store...I can't see the "hide product" on store pages. There's a blue button, but no text, and when i try to click it, nothing happens. See screenshot.

    Is that happening with every product?

    That's something that needs to be investigated. Anyone else having this issue?

  • I am haviing blue button issue as well in Chrome.

     

  • There were some JavaScript errors on the web site code earlier. It's possible there's something conflicting because of that. I'll check it again soon. Sorry about that!
  • I was seeing the same thing earlier. 

    But this update rocks. Great work, guys! I think you're right... this will change the way I shop. The price history is something I've wanted for a long time. 

  • mrinalmrinal Posts: 641
    edited December 2016

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart? Because that's what I mostly use this for. Now that Chrome has automatically upgraded the add-on, I am unable to revert back to the older version.

    Since the pricing calculations in Daz are very different from other e-commerce sites like Amazon or Walmart, I don't think I can rely on the displayed price history data. Not saying that there is any issue with this add-on, but the computations are sufficiently complex to be reliably computed by a browser addon without passing cart information back to the server (and I wouldn't like an add-on to do that i.e. sending data to an external server without my knowledge). Also the extra permissions for 'civilizationhunt.com' doesn't seem necessary for the features I use

    Post edited by mrinal on
  • 3Diva3Diva Posts: 11,276

    I really didn't think it was possible for Daz Deals to get better ...I was WRONG! It's even better than ever now! I'm really loving the changes! Thank you!

  • mrinalmrinal Posts: 641
    edited December 2016
    mrinal said:

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart? Because that's what I mostly use this for. Now that Chrome has automatically upgraded the add-on, I am unable to revert back to the older version.

    Since the pricing calculations in Daz are very different from other e-commerce sites like Amazon or Walmart, I don't think I can rely on the displayed price history data. Not saying that there is any issue with this add-on, but the computations are sufficiently complex to be reliably computed by a browser addon without passing cart information back to the server (and I wouldn't like an add-on to do that i.e. sending data to an external server without my knowledge). Also the extra permissions for 'civilizationhunt.com' doesn't seem necessary for the features I use

    Moreover, most of the time, we do not shop here to buy just a single item. Except a few occasional offers, most of the discount offers here are designed for selling multiple items in the same order. So the price history could be misleading for new buyers who are yet to warm up to Daz sales strategy. With additional stacking discounts applied on their cart, most of the time they would find the prices in their cart below the all time low prices shown in the history and hence they may be misled into believing that this is best offer for the item in a while. This could work in a opposite direction as well - say if they see the catalog price higher than the all time low price, they may not be compelled to buy the item, but the prices for same item once in their cart (along with other items) could be significantly lower than what they saw and interpreted on the item catalog.

    Even for seasoned buyers, the price history could be misleading. Daz already adjusts the displayed discount of items in the catalog based on the offers they are running. Say, right now most of the featured artist catalog items (non DOs, non PC+) would have the base discount displayed at 40%. But, when the same items are added to the cart along with other offer requirements they are significantly lower priced. But, if someone were to look at the price history on another day, a typical 65% off displayed on the catalog may seem more lucrative. They may not even know that the same item was available at much much higher 'stacked' discount just days back even if they are seeing a better discount in the catalog that day.

    The stacking nature of discounts here and the typical mentality of interpreting price history based upon prior experience from other sites (like camelcamelcamel for Amazon or Steamdb/steamspy for Steam) could further confuse many folks.

    On the notifications front, it would have been nice to setup a threshold price/discount rate for being notified. Currently, I get irritated when Rendo sends out a notification mail whenever a wishlisted item goes on sale even at a 5% discount. You may want to see how camelcamelcamel does that. But if the threshold price is still based upon the base discounted price shown on the catalog it would still not serve the purpose because if I wanted to buy an item, at say 80% off, the displayed catalog discount may never reach that level even though I may still be able to reach that through stacking. So, in a way, it diminishes (if not defeats) the whole purpose of notifications and tracking.

     

    Post edited by mrinal on
  • AtiAti Posts: 9,078
    edited December 2016
    mrinal said:

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart?

    Almost everything is customizable. :) Go to the options page of the addon (simply click on the icon), and you can turn on or off the features that you would like to use. If there is something you do not want to use, simply uncheck the checkbox in front of the feature name, and poof, it's off, while the rest remain turned on! We thought of everything! (Well, okay, we didn't, but this one we did. :))

    Post edited by Ati on
  • AtiAti Posts: 9,078
    mrinal said:
    mrinal said:

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart? Because that's what I mostly use this for. Now that Chrome has automatically upgraded the add-on, I am unable to revert back to the older version.

    Since the pricing calculations in Daz are very different from other e-commerce sites like Amazon or Walmart, I don't think I can rely on the displayed price history data. Not saying that there is any issue with this add-on, but the computations are sufficiently complex to be reliably computed by a browser addon without passing cart information back to the server (and I wouldn't like an add-on to do that i.e. sending data to an external server without my knowledge). Also the extra permissions for 'civilizationhunt.com' doesn't seem necessary for the features I use

    On the notifications front, it would have been nice to setup a threshold price/discount rate for being notified.

    You can set up a general discount percent above which you want to be notified. You can also set a per-item price. In that case the item does not even have to be in your wishlist to get a notification for it. In this case you set an individual price, so it can be 20% for one product, 99% for another.

    As for stacking, there is no way an outside system can know what personal discounts and coupons you have, or what products you would like to buy. This gives you a base to work with, see which products have a high discount to start with, and then you can work your way through them with stacking discounts.

    Even if it were possible to calculate all the stacking discounts (which it isn't), I don't think I would do it. That would just take the fun away from everything. :)

  • FishtalesFishtales Posts: 6,039

    I dislike percentages as they don't fit all scenarios. If my budget is $5 and I put in 80% then it shows items that can be well above that limit, which defeats the purpose.

    I would like to see a button to show items in my wishlist thst are in sales with multiple items, like the 4000 item sale today. Scrolling through multiple pages looking for the heart symbol is soul destroying, especially when you get to the end and there are none in it laugh

  • AtiAti Posts: 9,078
    Fishtales said:

    I would like to see a button to show items in my wishlist thst are in sales with multiple items, like the 4000 item sale today. Scrolling through multiple pages looking for the heart symbol is soul destroying, especially when you get to the end and there are none in it laugh

    Although that's not in the addon, you can use the Wishlistify bookmarklet for that. Either Morgan's original: http://3dwishlist.com/bookmarklet ;or my modification which will also work on filtered pages: http://civilizationhunt.com/ds/wishlistifyplus.html

  • mrinalmrinal Posts: 641
    Ati said:
    mrinal said:

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart?

    Almost everything is customizable. :) Go to the options page of the addon (simply click on the icon), and you can turn on or off the features that you would like to use. If there is something you do not want to use, simply uncheck the checkbox in front of the feature name, and poof, it's off, while the rest remain turned on! We thought of everything! (Well, okay, we didn't, but this one we did. :))

    Not the way I see it. Right now I cannot use the add-on unless I grant it permission to access 'civilizationhunt.com'. This was not the case till yesterday. The permissions used by the add-on, they are not optional. I just want to see the percentage discounts in the cart (just like yesterday) and as I said earlier, it doesn't need access permissions to 'civilizationhunt.com' for that functionality. Not that I do not trust the site or the people behind it, but just that I do not see the need for it for the features I use.

  • FishtalesFishtales Posts: 6,039
    Ati said:
    Fishtales said:

    I would like to see a button to show items in my wishlist thst are in sales with multiple items, like the 4000 item sale today. Scrolling through multiple pages looking for the heart symbol is soul destroying, especially when you get to the end and there are none in it laugh

    Although that's not in the addon, you can use the Wishlistify bookmarklet for that. Either Morgan's original: http://3dwishlist.com/bookmarklet ;or my modification which will also work on filtered pages: http://civilizationhunt.com/ds/wishlistifyplus.html

    Thanks, I forgot I had that blush

  • AtiAti Posts: 9,078
    mrinal said:
    Ati said:
    mrinal said:

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart?

    Almost everything is customizable. :) Go to the options page of the addon (simply click on the icon), and you can turn on or off the features that you would like to use. If there is something you do not want to use, simply uncheck the checkbox in front of the feature name, and poof, it's off, while the rest remain turned on! We thought of everything! (Well, okay, we didn't, but this one we did. :))

    Not the way I see it. Right now I cannot use the add-on unless I grant it permission to access 'civilizationhunt.com'. This was not the case till yesterday. The permissions used by the add-on, they are not optional. I just want to see the percentage discounts in the cart (just like yesterday) and as I said earlier, it doesn't need access permissions to 'civilizationhunt.com' for that functionality. Not that I do not trust the site or the people behind it, but just that I do not see the need for it for the features I use.

    Short answer: your concerns have been noted and we'll see what we can do about them.

    Long answer: even while we're seeing what we can do about them, if you want to get really technical, here are a few suggestions to ease your mind. You can check the source of the addon to see what is being used and when. That way you can be sure that if you turn a feature off, it will indeed not be used. You can also check the network traffic in your browser to see if a site is being accessed or not when a feature is turned off, to further make sure things work as intended. And most drastically, you can even disable your entire computer's access to that domain by pointing it to your own local computer in the hosts file. This has the side effect of breaking the addon's functionality if you later decide to use these features. (And you won't be able to access my website, which is in itself sad because there are two great books there, created using Daz Studio. ;))

  • mrinalmrinal Posts: 641
    edited December 2016
    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

     

    Ati said:
    mrinal said:
    Ati said:
    mrinal said:

    The price history - is that based on the price shown in the catalog or based on the lowest price showed up on someone's cart? Basically, does it factor in the myriad stacking of discounts?

    It's the best pc+ base price for the given day. It does not include stacking discounts. It's how much it would have cost to buy that product alone.

    Just to be clear on what is being considered as a base price here. Say a $10 item shows up in the catalog at 40% off which means the price would be $6. But say, if I have 30% loyalty discount and I add the item to my cart and assuming its the only item in my cart (i.e buying it alone), the price would show up as $4.2 instead of $6. So which price is being considered for the price history here?

    (I have used the loyalty bonus as an example. However, it could be any offer that doesn't require a purchase but the final offered price shows up only in the cart.)

    It's the price that is shown on the product page itself.

    In your loyalty discount example, the loyalty discount is not shown in the price history.

    Can we have a lite version of the add-on showing just the percentage discounts in the cart?

    Almost everything is customizable. :) Go to the options page of the addon (simply click on the icon), and you can turn on or off the features that you would like to use. If there is something you do not want to use, simply uncheck the checkbox in front of the feature name, and poof, it's off, while the rest remain turned on! We thought of everything! (Well, okay, we didn't, but this one we did. :))

    Not the way I see it. Right now I cannot use the add-on unless I grant it permission to access 'civilizationhunt.com'. This was not the case till yesterday. The permissions used by the add-on, they are not optional. I just want to see the percentage discounts in the cart (just like yesterday) and as I said earlier, it doesn't need access permissions to 'civilizationhunt.com' for that functionality. Not that I do not trust the site or the people behind it, but just that I do not see the need for it for the features I use.

    Short answer: your concerns have been noted and we'll see what we can do about them.

    Long answer: even while we're seeing what we can do about them, if you want to get really technical, here are a few suggestions to ease your mind. You can check the source of the addon to see what is being used and when. That way you can be sure that if you turn a feature off, it will indeed not be used. You can also check the network traffic in your browser to see if a site is being accessed or not when a feature is turned off, to further make sure things work as intended. And most drastically, you can even disable your entire computer's access to that domain by pointing it to your own local computer in the hosts file. This has the side effect of breaking the addon's functionality if you later decide to use these features. (And you won't be able to access my website, which is in itself sad because there are two great books there, created using Daz Studio. ;))

    Sounds great. Since its not possible to monitor access to a site through an addon 24/7, nor I have the patience to compile it from source (I would just keep the basic functionalities that I need, if I ever did). I would just make an entry for '127.0.0.1 civilizationhunt.com'  in my windows/system32/drivers/etc/hosts file. That should take care of things until a lite-r version shows up in the add-on store which does not require those permissions.

    I am sure you wouldn't want the potential readership of your books getting negatively impacted due to a browser add-on ;)

    Post edited by mrinal on
  • AtiAti Posts: 9,078

    I really didn't think it was possible for Daz Deals to get better ...I was WRONG! It's even better than ever now! I'm really loving the changes! Thank you!

    I'm glad you like the new features. I was pretty much in read-only mode on the forums these past few weeks (months?) because of the development, LOL. :) I really think it was worth it! :)

  • mrinalmrinal Posts: 641
    edited December 2016

    Okay, to summarize, since I am not comfortable with accepting the base discount on the product page as a sole indicator to determine price history, I would not be using that feature of this add-on. Also since the notification feature is also based on the same factor, I would not be using that as well. And since I would not be using those features, I would not be needing access to 'civilizationhunt.com' at all.

    I null routed that domain in my hosts file and most of the core functionalities prior to v2 seem to work fine (except for that annoying blue box that jakiblue mentioned earlier).

    As a side note, if you still insist on working on that price history, I would suggest that you just provide a link on the product page which would direct the user to your site (preferably in a new window passing the SKU as parameter) where you can display that information. That way you do not risk corroding user confidence by asking for additional permissions whenever you roll out a new feature.

    There's another angle to it as well. By embedding external content on a Daz page (through a add-on) you are making it vulnerable to hacks like cross-site scripting/request forgery, session hijacking and code injection should your own site ever get compromised. I am not sure if folks at Daz would encourage such practice.

     

    Post edited by mrinal on
  • barbultbarbult Posts: 23,049
    mrinal said:

    Okay, to summarize, since I am not comfortable with accepting the base discount on the product page as a sole indicator to determine price history, I would not be using that feature of this add-on. Also since the notification feature is also based on the same factor, I would not be using that as well. And since I would not be using those features, I would not be needing access to 'civilizationhunt.com' at all.

    I null routed that domain in my hosts file and most of the core functionalities prior to v2 seem to work fine (except for that annoying blue box that jakiblue mentioned earlier).

    As a side note, if you still insist on working on that price history, I would suggest that you just provide a link on the product page which would direct the user to your site (preferably in a new window passing the SKU as parameter) where you can display that information. That way you do not risk corroding user confidence by asking for additional permissions whenever you roll out a new feature.

    There's another angle to it as well. By embedding external content on a Daz page (through a add-on) you are making it vulnerable to hacks like cross-site scripting/request forgery, session hijacking and code injection should your own site ever get compromised. I am not sure if folks at Daz would encourage such practice.

     

    Sounds like some good ideas to consider here.

  • AtiAti Posts: 9,078
    barbult said:
    mrinal said:

    Okay, to summarize, since I am not comfortable with accepting the base discount on the product page as a sole indicator to determine price history, I would not be using that feature of this add-on. Also since the notification feature is also based on the same factor, I would not be using that as well. And since I would not be using those features, I would not be needing access to 'civilizationhunt.com' at all.

    I null routed that domain in my hosts file and most of the core functionalities prior to v2 seem to work fine (except for that annoying blue box that jakiblue mentioned earlier).

    As a side note, if you still insist on working on that price history, I would suggest that you just provide a link on the product page which would direct the user to your site (preferably in a new window passing the SKU as parameter) where you can display that information. That way you do not risk corroding user confidence by asking for additional permissions whenever you roll out a new feature.

    There's another angle to it as well. By embedding external content on a Daz page (through a add-on) you are making it vulnerable to hacks like cross-site scripting/request forgery, session hijacking and code injection should your own site ever get compromised. I am not sure if folks at Daz would encourage such practice.

     

    Sounds like some good ideas to consider here.

    While what was written is true, this has been taken into consideration from the very beginning of development. This is exactly why, for security reasons, no remotely fetched code is directly added to any page. Everything that is directly added, is included in the addon itself, and the dynamic chart is on a different page, on a different domain. This different domain ensures that even if there is a security breach, same origin policy prevents any injections. (Rightclick on the notification text below the chart, and choose view frame source. You'll see that the entire chart is coming from a different page from a different domain, and is not directly part of the daz page.)

  • dreamfarmerdreamfarmer Posts: 2,128

    I love the price history on each page. I used it to decide which Day One freebies to use the coupon on, in order to get what I best considered value. I'm actually confused by mrinal's concern that the price history might confuse people, because it IS useful as-is. The history gives you an idea of how often the price fluctuates, which is meaningful when deciding whether to jump on a deal. It can also tell you when you're NOT getting the best deal and just how low the price regularly (or irregularly) goes. Please don't take it away!

  • mrinalmrinal Posts: 641
    Ati said:
    barbult said:
    mrinal said:

    Okay, to summarize, since I am not comfortable with accepting the base discount on the product page as a sole indicator to determine price history, I would not be using that feature of this add-on. Also since the notification feature is also based on the same factor, I would not be using that as well. And since I would not be using those features, I would not be needing access to 'civilizationhunt.com' at all.

    I null routed that domain in my hosts file and most of the core functionalities prior to v2 seem to work fine (except for that annoying blue box that jakiblue mentioned earlier).

    As a side note, if you still insist on working on that price history, I would suggest that you just provide a link on the product page which would direct the user to your site (preferably in a new window passing the SKU as parameter) where you can display that information. That way you do not risk corroding user confidence by asking for additional permissions whenever you roll out a new feature.

    There's another angle to it as well. By embedding external content on a Daz page (through a add-on) you are making it vulnerable to hacks like cross-site scripting/request forgery, session hijacking and code injection should your own site ever get compromised. I am not sure if folks at Daz would encourage such practice.

     

    Sounds like some good ideas to consider here.

    While what was written is true, this has been taken into consideration from the very beginning of development. This is exactly why, for security reasons, no remotely fetched code is directly added to any page. Everything that is directly added, is included in the addon itself, and the dynamic chart is on a different page, on a different domain. This different domain ensures that even if there is a security breach, same origin policy prevents any injections. (Rightclick on the notification text below the chart, and choose view frame source. You'll see that the entire chart is coming from a different page from a different domain, and is not directly part of the daz page.)

    That's exactly my concern. If the external site gets hacked or compromised, the attacker could replace that image with a malacious executable script and camouflage that script along with the same image. So end users would still see that image while unknowingly downloading that script in the background as part of image data. Since the malacious script would then be running in the same browser window as the Daz page it could manipulate other javascript code on that page and initiate requests on the user behalf. The script could even be used to access and pass on confidential information like mail id or contact details through a blank browser frame in the background which would go unnoticed and submit that information to another domain. Daz servers would see those requests as genuine requests coming from the user browser - like a user trying to view their own contact details.

    A crafty attacker could even exploit this to initiate DDOS attacks from the user's browser on a good sale day.

    The same origin policy applies only to cookies but does not provide sufficient protection against javascript and and code injection attacks. A simple way to understand is that most web sites load their static content and scripts from a different domain - a CDN, so same origin policy does not apply there.

  • AtiAti Posts: 9,078
    mrinal said:

    The same origin policy applies only to cookies

    https://en.wikipedia.org/wiki/Same-origin_policy

  • mrinalmrinal Posts: 641
    Ati said:
    mrinal said:

    The same origin policy applies only to cookies

    https://en.wikipedia.org/wiki/Same-origin_policy

    Exactly. Quoting from the same page: "A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity."

  • mrinalmrinal Posts: 641

     

    mrinal said:
    Ati said:
    mrinal said:

    The same origin policy applies only to cookies

    https://en.wikipedia.org/wiki/Same-origin_policy

    Exactly. Quoting from the same page: "A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity."

    Also not to mention that you have partially quoted my sentence which can potentially alter its meaning.

  • @mrinal the Web Extension security model is slightly different and there are other security standards at play than just the Same-Origin Policy. The iframe is sufficiently sandboxes (for one) which prevents it's scripts effecting the page it was loaded in. Also, Web Extensions may not execute code loaded from remote sites (like CDNs) nor can they use eval, inline scripts and the like--all done to prevent the sort of risks you describe. Regardless, I'm glad you've found a way to use the extension to your liking. :)
This discussion has been closed.