On 2013-10-15 19:54, Cathal Garvey wrote:
with folks that refuse to run JavaScript
Not "JavaScript"; "Unverified, potentially malicious code with a
rich history of exploits inside a frame I use to navigate the online
world". It wouldn't matter if the code was LISP or Python; the problem
isn't the language, it's the context.
That said, I do run Javascript, albiet through NoScript. I just wish
there were more fine-grained policy restrictions I could place on it,
such as "No XmlHttpRequest/Websocket" or "No browser introspection
(fonts, boundaries, etc.)", and let webapps that are trying to
fingerprint me without my permission just crash and burn.
Javascript can be controlled by being recompiled into the Caja subset of
javascript.
In practice, however, this is only done when a server controlled by one
organization is generating a web page containing javascript controlled
by another organization - Caja is used to protect one website against
another, but not used to protect the client against the website.
