>On Fri, Dec 20, 2002 at 03:26:13PM +0000, Cruise wrote: >>Because of course your average user will tell the difference >>between javascript on a Freesite (bad) that appears when they >>click a link, from javascript on a download page (good) that >>appears when they click a link. > >Generally speaking, if someone has found a hole in the FProxy >filter, and they plan to compromize someone's security through >Javascript, they aren't going to advertise that fact by making a >window pop up!
>What exactly is the user supposed to think on seeing a window appear > that is so completely terrible? The worst they can think - "hey, a > window can only appear with Javascript and javascript in a freesite >is bad, I had better email support at freenetproject.org" is: a) >Unlikely b) Harmless > >>It's not that javascript is bad. It's not that your method is bad. >>Far from it. It's just that a lot of people will have trouble >>telling the difference between stuff that is and stuff that isn't. >>Rather than risk them accepting everything, surely it would be >>better to accept nothing, and loose a tiny bit of visual nicety? > >That doesn't make sense. > >If someone is maliciously using Javascript in a freesite the user is > unlikely to see any physical manifestation of it anyway, so what >exactly is being lost here? > >Ian. That's not the point. We tell users not enable javascript because it's inherently unsafe within Freenet. Then, we use javascript within Freenet (as far as the user can tell), as if we /expect/ them to ignore what we've suggested. I think all the point that people are trying to make (or at least, I think the point I'm trying to make), is it implies a) we don't listen to our own advice (I know it isn't true...it just *seems* to be), and b) we don't expect anyone else to listen to our advice. Arguing over this is incredibly trivial, to be honest, and I don't care what decision is made...I have javascript disabled on everything by default anyway...but I figured it was at least worth pointing out that a lot of people will find it very strange, and it might damage the worthiness of our other "security warnings." [ cruise / casual-tempest.net / transference.org ] _______________________________________________ devl mailing list devl at freenetproject.org http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl
