> Alain: Security-wise, JavaScript is no worse than > other languages, it seems to me. The most recent > incarnation of JS has been overhauled in terms of > security. Which is good, I am sure, but which > caused me many headaches this year. Anthony: I've lost count of how many JS security holes there have been last year, from stealing credit card numbers to faking which site you're looking at. Alain: The latest incarnation of JavaScript is much more security-oriented than all of its predecessors. There is tainting and procedure authentification, and all of that. With these features taken into consideration, are you still insecure about JavaScript's secureness? Is JS the WORST language in this regard? >> Uli: Would it be possible to change the >> navigation to use regular HTML? > Alain: I endeavour to be as flexible as possible > but, in this case, I cannot compromise at all. > While my system is 80% server-side, and the 20% > client-side JavaScript that I do use is limited > in scope to the fundamentals ... without JS, > the whole solution falls apart. Anthony: What does the JavaScript do? It activates a simple form. Alain: It is more essential than that. The onLoad event of the middle-frame re-adjusts the buttons in the top-frame, produces the default message that is displayed in the bottom-frame, and starts a timer. Hidden form elements maintain the state of the user. Going to any page stops the timer and transparently submits the user's state to the server. As a by-product of the process, the values of the user's form-elements are also sent. We are going to exploit the latter to record members votes. This is basically it, with the exception a few calculations, moving some data around, bypassing the default form-element selection order, in order to guide the data-entry of the student/user, and some other interface niceties that make the web-experience more user-friendly. Anthony: Some reason why clicking the nagigation images can't do that? Alain: That would mean that each image's link would have to be hard-coded with the image tag, and the HTML of the buttons frame would have to be changed every time you change page. That is MUCH slower than dynamically changing them (appearance and destination) with a little bit of JavaScript. >Anthony: I've got problems besides just letting >unknown parties execute code on my machine. Alain: 1. Am I an unknown party that you don't trust? Alain: 2. JavaScript's scope is pretty much limited to the HTML page that embeds them. Like Java and others, JavaScript cannot read or write to the user's disk. It doesn't have hooks into the user's operating system. Besides a little of tricky spoofing on the web to rip-off credit card numbers and other secure information from unsuspecting people naive enough to consider the Internet secure in the first place, what can JavaScript do that is deleterious to the client's machine? >Anthony: 3 of the 4 browsers I use don't support JS. Alain: My official position on this matter is that I only support Netscape and Explorer, the two most widely used browsers throughout the World. My system would probably also work well with other less-known browsers, like Mosaic and such. The browsers that I do NOT support are the primitive ones that don't support frames, tables and/or even graphics. >>Uli: Also, I don't get anything in the bottom frame. >Alain: That frame was intentionally empty. >Anthony: Please remove it. It makes it need to >scroll on my 13" monitor. Alain: That frame was intentionally left empty because it will eventually serve a purpose. Actually, it will serve several purposes: * A frame to provide pretty, customized feedback to the user, instead of relying on the ugly dialogs provided by JS itself. They are not only ugly, they are very limited and in English, while many of my clients are French. * A rough equivalent of HC's msg box, on the Web. To display messages, like the above, but also to allow the user to use it to submit commands to my server. * Another set of buttons, like the top-frame, with further operations that are context-sensitive (e.g. card-specific) __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com