> Btw. the example given for IE is a classic example of what is so wrong
> with Javascript: you can do anything with it - including e.g. trivial
> stealing of passwords by popping up fake login dialogs - _even if it
> doesn't make sense in the context_. This alone is a reason to
> completely block and disable it.
In this paticular case its a beautiful example of how not to configure
a web based email system. Javascript does have a sense of security domains
and nowdays it even seems to work right (see old stuff with the one line frame
snooping on the rest)
Untrusted content should be served in a different security domain to the
main system. If hotmail handed out its own admin stuff from hotmail.com and
the message contents from ifyoutrustthisyouarecrazy.com, things would be a lot
safer. I concur however for many of us - not safe enough.
Alan
