On Oct 17, 2017, at 7:12 PM, Andy Goth <[email protected]> wrote:
>
> requiring JavaScript access has proven to be
> fatal for his project's usage of Fossil.
I noticed a complete lack of “me, too” in that thread. Usually when one of the
other VCSes does something different from Fossil, people are quick to jump on
it as a weakness of Fossil, but here…?
I think the no-JavaScript fight is long over, and I say that as a longtime user
of NoScript.
A great many of the old concerns about the security problems with Javascript
have gone away through various efforts, and atop that, the vast majority of web
sites and web apps now require JavaScript.
Furthermore, most of the sentiment about how web sites should run without JS
applies to content-providers, not to web apps. It is understood that web apps
work a whole lot better if you can do a lot of the processing on the client
side, rather than eat an HTTP round-trip every time any significant computation
must be done.
I do have one positive contribution to this, though it’s really too early for
me to be commenting seriously on it: Someone™ should run OWASP ZAP against
Fossil and see what it would take to placate it:
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Unlike the recent fight about compiler warnings on the SQLite mailing list, ZAP
tends to highlight actual problems. The more web apps that ship with stringent
Content-Security-Policy headers, the fewer arguments we’ll have for allowing JS
on web pages.
I suspect it would be fairly difficult to get Fossil to ship such a CSP. I
seem to recall that it uses a lot of inline CSS and JS, which are a problem
from a CSP standpoint, particularly for an app like Fossil which is all about
user-provided content.
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
