Matthias Kirschner <[email protected]> wrote: > I'd like to have some feedback from you. Do you agree with those points? > > 1) on most computers Javascript is enabled by default
It's enabled by default in most browsers, but lots of embedded computers don't have browsers (or browser-independent JavaScript implementations) installed. > 2) This gives anyone a platform to play with parts of their owners > equipment. Not anyone, "only" anyone who controls a website the browser accepts JavaScript from or is able to modify the traffic. > 3) From a security point you are lost as soon as you give an adversary > the opportunity to control your system. At least in theory the JavaScript provider's control over the owner's system is limited by the "sandbox". Given the poor security track record of all JavaScript implementations executing JavaScript from untrustworthy sources certainly makes the system less secure, though. > 4) Only non-active web content can guarantee that you keep control over > your equipment. "Non-active web content" tends to cause a lot less security problems than "active content", but that's about it. > And the last question: if all above is true, do we want to tell this to > the public? Does it help? Or would we be seen as being completely > paranoid. I think at first the FSFE should make sure that its own website properly works without JavaScript enabled. A good start would be fixing or ditching EtherPad whose developers apparently don't care about accessibility. Fabian
signature.asc
Description: PGP signature
_______________________________________________ Discussion mailing list [email protected] https://mail.fsfeurope.org/mailman/listinfo/discussion
