Security and Javascript

Fabian Keil freebsd-listen at
Fri Jun 28 11:10:35 UTC 2013

Matthias Kirschner <mk at> wrote:

> I'd like to have some feedback from you. Do you agree with those points?
> 1) on most computers Javascript is enabled by default

It's enabled by default in most browsers, but lots of embedded computers
don't have browsers (or browser-independent JavaScript implementations)

> 2) This gives anyone a platform to play with parts of their owners
> equipment. 

Not anyone, "only" anyone who controls a website the browser accepts
JavaScript from or is able to modify the traffic.

> 3) From a security point you are lost as soon as you give an adversary
> the opportunity to control your system. 

At least in theory the JavaScript provider's control over the owner's
system is limited by the "sandbox".

Given the poor security track record of all JavaScript implementations
executing JavaScript from untrustworthy sources certainly makes the
system less secure, though.

> 4) Only non-active web content can guarantee that you keep control over
> your equipment. 

"Non-active web content" tends to cause a lot less security problems
than "active content", but that's about it.

> And the last question: if all above is true, do we want to tell this to
> the public? Does it help? Or would we be seen as being completely
> paranoid.

I think at first the FSFE should make sure that its own website
properly works without JavaScript enabled. A good start would be
fixing or ditching EtherPad whose developers apparently don't care
about accessibility.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <>

More information about the Discussion mailing list