Security and Javascript

MJ Ray mjr at phonecoop.coop
Fri Jun 28 11:04:14 UTC 2013


On 28/06/13 11:36, Carsten Agger wrote:
> MJ Ray wrote:
>> I'd love it if we shared good practice and encourage people to install
>> things like noscript.net.
>>
> There is a problem with that, though: Web designers nowadays want to
> create a user experience based on the desktop-like interactivity
> provided by Ajax. This requires Javascript, and this means that very
> many web applications are designed which require JavaScript. To the
> extent that it's a security problem the solution might be improved
> sandboxing, because I don't think the demand for that kind of interfaces
> is going to go away.

Will sandboxing ever be improved enough?  It's been 18 years already.

I've some hope though: I really liked eating lots of chocolate for many
years, but I discovered I'm intolerant of an ingredient in it and it was
causing me pain, so I soon rejected it.

People really like eating lots of javascript, but once they discover
that it's a huge attack vector for security problems and causes them
pain, they may be a bit more discerning.  Hopefully, they will start to
reject the incompetent web developers and/or site owners who slam the
door in users' faces if they don't have javascript enabled
indiscriminately even when they're not doing anything that requires it.

Yes, javascript will be needed for some tasks, but it's currently
demanded (and permitted) far too widely.  That should change and I
believe the universe will reward our honesty if we advise people to only
permit javascript when you trust the website.

What do we gain by hiding this inconvenient security *and freedom*
problem from our friends?  Won't they think we're just like all the
others who would rather make it easier for people to develop whiz-bang
apps than help our friends take control of their computers?

Regards,
-- 
MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op
http://koha-community.org supporter, web and library systems developer.
In My Opinion Only: see http://mjr.towers.org.uk/email.html
Available for hire (including development) at http://www.software.coop/



More information about the Discussion mailing list