begin quoting James G. Sack (jim) as of Fri, Dec 01, 2006 at 01:46:22PM -0800: > Stewart Stremler wrote: [snip] > > My take was that AJAX doesn't introduce any _new_ security problems. > > > > Aside from training users to leave Javascript enabled by default, and > > to avoid using tools like NoScript or Muffin. > > No arguments. Although I believe javascript will probably not go away > (_hopefully_, security [and annoyance] risks will diminish with time -- > wishfully?).
I'd like to see a form of code mediation -- a way for me, the user, to *look* at the code that will be executed by the browser's javascript engine, *prior* to it being executed. Possibly modified. And with the option of making those modifications persistent. > Thanks for mentioning NoScript and Muffin. I found the following pages > http://www.noscript.net/whats > http://muffin.doit.org/ > which do look interesting. You're welcome. > BTW, the author of the original article has a blog and evidently some > respect in the security world. One interesting post is > > Browser Port Scanning without JavaScript > > http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html Heh. He's not quite port-scanning (his example lacks ports), but still, that's quite clever. Wonder if it still works if you disable CSS? -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
