Stewart Stremler wrote: >>..in recent >> fashion, uses XMLHttpRequest/AJAX to make the client experience more >> interactive.. >>.. > ...and to get everyone to turn on javascript in order to _see_ content, > and thus open themselves up to scripting attacks.
I also condemn web pages that fail (to display or act eg, link/button) when javascript is disabled. Ditto, emphatically, for plugin content. Google actually does a pretty nice job with it's maps stuff even without js. I _am_ concerned with security under javascript. Does anyone know of some up-to-date references to client-side issues? > >> Andy, for example mentioned/alluded-to google maps, which everybody >> seems to classify as a _good thing_. > > Not me. > > I want to find out how to get somewhere. Someone sends me a google-maps > URL. I can't just follow the url and see... nooo..., I have to have a > freaking interactive experience with my computer. I don't *WANT* an > interactive experience with my computer, I just want to see where > someone _lives_. Heh, I thought we were discussing the pros/cons of web-based applications. And, I offer that in some cases, interaction may be part of the application requirements. Your objection, does point out one big annoyance of websites that use javascript (or frames) for navigation -- you can't bookmark (or email) the desired page, only the entry page. Ugh. >.. >>.. >> interactivity benefit, compared to how it was done last year. > > I don't see that much of a benefit; any sort of validation mechanism > better damn well work _without_ javascript, or it's a waste of time. You > still have to validate on the server side, and provide a reasonable > error if it passes in the javascript but fails on the server. Totally agree that the server application must not _depend_ on the client-side validation (or formatting, or..). Nevertheless, I still believe there are client-server applications for which a browser interface may be an effective UI. (Or at least, that it shouldn't be rejected without considering all the tradeoffs.) In some cases, the application may benefit from attention to details such as my little validation example. >>.. >> browser will find it in its cache. > > ...and the user can't see it when they "view source"... Yes, that also been an annoyance of mine. Firefox has a neat extension for viewing source "as rendered". https://addons.mozilla.org/firefox/697/ >.. > > "Conventional wisdom" being what? Javascript/ECMAScript advocates > waving their hands, saying "just trust us" and "we don't see any real > problems"? Heh, I _did_ have some tongue-in-cheek intent in using the 'conventional wisdom' trigger. But, annoyances and usefulness questions aside (to whatever extent possible), what are the security problems with javascript? >..(more snippage) ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
