Security and Javascript

Otto Kekäläinen otto at
Sat Jun 29 13:10:33 UTC 2013

2013/6/29 Fabian Keil <freebsd-listen at>:
>> Tools like etherpad are really useful and I don't think they can be
>> implemented without a certain amount of JS at the moment.
> Allowing users to read and modify a text with a browser isn't rocket
> science and doesn't require JavaScript.

Come one, Etherpad does much more than simply read and modify text,
and what it does can certainly not be done without JavaScript.

I think that the success of HTML5 and related technologies is great. I
really seems to have lead us out of the Microsoft lock-in world and
thanks to the early vice decisions on open standards and Free Software
the web is both technically, culturally and legaly a much more open
place than any of it's competitor. The web is not perfect and it is
still possible to publish proprietary programs with closed down and
obfuscated JavaScript code, but still, it is much better than the
competition in many regards.

I am not afraid of JavaScript. If we look at the security record of
many browser related technologies, almost all security issues where
somebody has managed to privilege them self up to the OS level from
the browser sandbox has been related to Active X, Java applets or
Flash. I don't allow my browser to automatically execute any of these,
and with Flashblock I control case-by-case when it is allowed. I don't
block JavaScript and I am not afraid of it. I've been doing web apps
coding JS both on the server side and client side for many years and
I've never come across any method to escape the browser sandbox, all
security issues I know are related to over-consuming resources and
service denial, cross-site scripting and traditional user-assisted
attacks. All of these have effective counter measures already and e.g.
cross-site post attacks can be done even without JS if the website
developer was clueless.

As Free Software supporters our biggest threats are the dominance of
Microsoft Office and their file formats with network effects, the
pre-installed Windows monopoly and source code hiding app stores on
mobile and desktop platforms. The success of HTML5 and friends
automatically helps defeat these and if we start campaigning against
JavaScript, we'll just end up helping closed app store ecosystems and
old monopolies.

Also in your discussion you seem to value security features
out-of-context. Security is always a trade-off between what you gain
and what you loose. If you want maximum security you can shut off your
computer or disconnect it from any networks, but that isn't the point.

The question here should be is it better to run apps locally or via
the browser? The simple answer to this is that it depends on what the
application does. In most cases if you are developing new end-user
software I'd recommend the browser based approach, simply because that
is the only way you'll get a truly cross-platform usable app.

Otto Kekäläinen                   []         otto at
Finnish Team Coordinator        [][][]  finland at
Free Software Foundation Europe   ||      +358 44 566 2204
Support FSFE!

More information about the Discussion mailing list