On Oct 17, 2017, at 7:12 PM, Andy Goth <andrew.m.g...@gmail.com> wrote:
> 
> requiring JavaScript access has proven to be
> fatal for his project's usage of Fossil.

I noticed a complete lack of “me, too” in that thread.  Usually when one of the 
other VCSes does something different from Fossil, people are quick to jump on 
it as a weakness of Fossil, but here…?

I think the no-JavaScript fight is long over, and I say that as a longtime user 
of NoScript.

A great many of the old concerns about the security problems with Javascript 
have gone away through various efforts, and atop that, the vast majority of web 
sites and web apps now require JavaScript.

Furthermore, most of the sentiment about how web sites should run without JS 
applies to content-providers, not to web apps.  It is understood that web apps 
work a whole lot better if you can do a lot of the processing on the client 
side, rather than eat an HTTP round-trip every time any significant computation 
must be done.

I do have one positive contribution to this, though it’s really too early for 
me to be commenting seriously on it: Someone™ should run OWASP ZAP against 
Fossil and see what it would take to placate it:

    https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Unlike the recent fight about compiler warnings on the SQLite mailing list, ZAP 
tends to highlight actual problems.  The more web apps that ship with stringent 
Content-Security-Policy headers, the fewer arguments we’ll have for allowing JS 
on web pages.

I suspect it would be fairly difficult to get Fossil to ship such a CSP.  I 
seem to recall that it uses a lot of inline CSS and JS, which are a problem 
from a CSP standpoint, particularly for an app like Fossil which is all about 
user-provided content.
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Reply via email to