the return of the webform bot

The zoo has a web form bot lookup from years and years ago to be honest i not sure it was working since it does not see any action until it caught some web bots trying to send us messages of no value which a script reports to me daily.

Not sure if they got past our captcha either.

It has been a while but i am glad i did not dump that feature.even with the settings we had.

fun with Content Security Policies

Is something your website can do and has included in the spectrum is hpkp (my blog) which is generally considered a nightmare and broken but other content security things are needed by some web things to work..

As kind of tls related i decided to make the zoo compatible with the more common csp’s unused here in the zoo. There are easy headers like hsts, x-frame*, set-cookie, xss and hard ones csp is hard.  I was missing a couple and thought why not.

However csp seems to allow stuff but is quite tricky to figure out the format which goes

<set header> default-src ‘self’ data: hostname; script-src * data: hostname style-src data: hostname

Chrome browser is helpful here for diagnosing stuff, although i never bothered to look at firefox’s tools.

I had to use a wildcard with our policy on the hostnane but things eventually worked.

hkpk remains something i wont touch with a bargepole for if Symantec can issue bad ev [the green ones] unauthorised then the danger becomes clear to all.

apache2-doc debian weirdness fixed

If like the zoo you upgraded from debian 8 to debian 9 (my blog) then apache2-doc fails to do something on the lines of

ERROR: Conf apache2-doc does not exist!
dpkg: error processing package apache2 (–configure):

But apache still runs.  – An purge and install eg:

apt purge apache2-doc;apt install apache2-doc

Fixes it so shit software like systemd will not complain about it.  Honestly no idea why you have to do this when the version of the package was current but that’s how things go with systemd

http/2 in the wild

I have a new plugin that tells me when http/2 is in use and many well known sites still do not support http/2.  It kind of surprised me but it should not after all those grey icons for dnssec (my blog) mostly stay grey – forget it not even red (error) or green (ok).

I have yet to bother with hpkp (my blog)  and seriously doubt there is a plug-in for that, after all very few sites even have that.

http/2 in debian

tube recycle those 1’s and 0’s

Was surprisingly easy to setup in debian 9.2 in apache -turn on the module and add

# for a https server
Protocols h2 http/1.1
# for a http server
Protocols h2c http/1.1

depending on the host config and a software restart – I doubt anybody will notice.

Much better than that spdy (my blog) crap alphabet was promoting.


The ideal google webpage in reality

tapIs more mobile friendly than computer based but if your html is up to standard then quite achievable.

The webserver component is interesting although tricky to decide if what it suggests works – that maybe through debian stable doing its thing.

This is not seo, and industry seo ‘experts’ broke but just html and even something’s are new to me although i dont claim to be a mobile user with there retarded apps (my blog) for instance a tap point is nothing to do with tap dancing but an ahref link and css.

Concerning me is the minified text content that also includes html.  while i can do css and js files it does make troubleshooting fucking hard work and i am not parsing my html in a foreign website where i have no idea what extra content it adds.  No html minifier exists in the .deb ecosystem.

So compiled node.js and installed via npm two minifiers.  One only works via copy and paste on a website, the other worked but the rating algorithm found its work poor and recommended minfying it.

Minifying is best for incomprehensible css, js and php make no difference. html is a disaster area take this.


It becomes (via an online tool)

</footer></div></div><!--[if lte IE 8]>http://js1/respond.js<![endif]-->

Ignoring \n removal – can i have my /body and the rest back ?

Oh good luck fixing that in real life

I had a 100% user experience rating and the page speed was ok although without minification for reasons explained

Security of pages [https] seems ignored and page blocking detection from frames via somebodies else’s website (think this) is frowned upon so i ignored some of the recommendations.  I’d rather not display html to a client if that is how it is delivered rather than direct.

headachejquery that does css blocks (imagine form html) is also frowned on but then i thinking client experience rather than googles worries.

php is interesting – using

zlib.output_compression = On

Resulted in no php content so do not take these suggestions are 100% practicable

Page design is almost an art form and as to tap points what the hell cannot they be called link anchors/url’s.

If i ever find out the web designer that coined the term tap points then they should be shot dead for reasons of sanity.   HUGE Font sizing looks RIDICULOUS

These ideals are for the benefit of google not the open ‘web’

hashing woes with csp and googles chrome

wenlock a policeman


<script async src="https:/zoo/js/jquery.thing.js" integrity="sha384-xxx" crossorigin="anonymous" defer>

Was giving the zoo a load error with our csp which is a rather lax affair however i found out that sha384 hashes where not liked by googles chrome and a 256 hash worked.

I can’t remember editing the js so changing it or needing to but the mix messages of the csp did make it kind of hard to figure what was wrong – i am blaming chrome not myself.

The thing does not complain as much now. So fixed i think for chrome although it feels a bit like chrome is the next internet explorer incarnate..


webp – not a image panacea.

not that gimp

webp is a image format that chrome reads and gwenview does as well on my linux desktop  If your a windoze ormac user good luck. The gimp* in its current version cannot or imagemagik so it is limited.

I was not impressed and you might need a different browser to see webp.images

size wise

ls -la cr*
-rw-r–r– 1 bananas bananas 18344 Nov 4 19:52 craving.jpeg
-rw-r–r– 1 bananas bananas 1566 Nov 5 19:14 craving.webp

Amazing no ? a gwenview convert

However it changes this jpeg

To (unable to upload webp images to wordpress) so a screenshot. the webp image will be downloaded by firefox as well for openiing in something else. – so your probably looking at browser strings to decide what image each sees and some kind of conditional language statement..

So its a bit blurry. No its not your eyes

It might be fast but seems a little too google friendly not everybody uses google.

Webp seems to have a long way to go.   Can’t recommend can you?.

seo and webdesigner spammers are weird

Kkaran Bahree indian crook of well know ill repute

Strange bunch – I would like to know

why send via outlook,com – microsoft free email it is not like microsoft are writing ie6 compatible sites for us, I hate microsoft and report it as spam and i can fuck up microsoft free email that way too..

I am amused to read (if it gets past the spam filter) that microshit only employ 10 people.  Are these indians doing this too incompetent to have a domain themselves ?

Use of return receipts  – so first thing it does is ask for a confirmation and them ….

Asks for another human reply -you just got one so what was wrong with the one from above ? you demanded .

no checking of websites – The monkey house does not give a shit that we are not number 1, and yes our design is mobile friendly.

Forward of the original email.  – er why would i reply to that ?


Scammy cookie explanation websites

Cookies on websites are weird your warned but have to accept whatever woe may or may not come your way. * is the site that fails to load at all listing it seems pointless and a lot of sites show it.

the other site had an advert for a scammy technical support firm on the front page. Which gave me the wrong impression.

ttp author and bad man

If the intention was to de-escalate the threat that these electric biscuit** things might do then i was none the wiser and downright concerned about the explanation of cookies from the american chamber of commerce..

Somehow they will not be part of any website redesign i do explaining what a cookie is.

*the people who made Hillary Clinton unelectable ** sweet ?