Sean Whitton <spwhit...@spwhitton.name> writes: > On Fri, Aug 25 2017, Laura Arjona Reina wrote:
>> My concern is about doing the right thing... making our web visitors >> run javascript code from sid in their browsers does not sound right for >> me. It's fairly unlikely that this would cause a problem in practice given how the Javascript is used in this case and given the other contents of www.debian.org. The primary concern with Javascript is that it could expose the site to XSS or other web vulnerabilities, but I believe the content of www.debian.org is entirely public, so there's no meaningful XSS or CSRF or related vulnerability that I can think of. The remaining issues seem fairly obscure. That said, introducing Javascript for the first time does feel like a large-ish step, and the reluctance also makes sense. I'm not sure the search functionality really adds much. (I haven't checked to confirm that is the only thing in the Sphinx output that uses Javascript, and that it's not used for something more useful like responsive design on mobile browsers, but maybe Sean has.) >> Would you (Debian Policy Team) consider acceptable to leave the website >> version of the manual as it is now, without any javascript? I have no objections! I'm happy to have the web team make the call for what makes the most sense for the web site. > I'd want us to generate output that doesn't try to load any JavaScript, > though, rather than publishing something which we expect to be buggy. > [1] looks like a good starting point. > Russ: do you agree? If so, we can file a bug against policy to produce > output without javascript, and block this bug by that one. I suppose that also works, although it assumes that the only use of Javascript is just the search box. I don't really want to do a lot of meddling with the Sphinx output (since part of the goal is to let Sphinx take care of the details of output), but this doesn't look like a ton of work and looks likely to continue to be supported. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>