Security and Javascript

Timo Juhani Lindfors timo.lindfors at
Fri Jun 28 21:27:05 UTC 2013

Werner Koch <wk at> writes:
> [ Then please set an MFT header and my MUA will comply.  That discussion
>   is > 15 years old and we have since then a working solution.]

[ Sorry but I have no idea how to do that. However, I added "reply to
  list" support to gnus a few years ago, it might be useful even if you
  don't want to use it: ]

> It is a blacklist: For example: The code loaded from external source may
> not open a file on user's host.  A whitelist would cleary state what the
> code is allowed to do.  But then it wouldn't be a useful language
> anymore.

My system has always had a webcam but javascript only got to access it
when chromium implemented support for it. You might call this a
blacklist but at least to me it's looks like a whitelist. Wikipedia is
not a good reference but does
talk about "granting privileges" which also would imply whitelist and
not blacklist :/

>> See the point about non-free plugins :(
> That usually makes the audit easy:  We can't audit it thus it shall not
> be used.

Unfortunately the reality is that it does get used.

> Here in the sense that it is a well defined set of code which comes with
> a signature and can be tracked back to an audit or a trusted source.  it
> can't: MitM attack on PKIX are commonplace.  Does anyone really believe
> that the NSA has no means to ask another secret service to have one of
> their national CAs issue a malicious certificate?  Come on: That system
> has been corrupted by the PKI business ever since.  Nobody can expect
> that they ever withstood requests from the slouch hats.

No comment ;-)

More information about the Discussion mailing list