> Users: > * switch off Javascript (and any other active content) > * avoid pages unusable without active content > > Developers: > * always offer working alternatives to active content (page > must be usable with no JS, no Java, no Flash (I won't talk > about other client-side monsters here). > * convince your bosses/clients that (X)HTML/CSS is enough to > make beautiful and usable pages. > > OK, now call me names :-) >
Neither of these options will work. Consider this scenario. 1) Joe Bloggs logs into my website and has an active session. 2) Clicks on a link (either from an email or from content posted on my site) to http://www.malicious-site.com/index.html 3) That index page contains an <img src="/logo.gif" /> tag 3) Instead of serving the image, the server at www.malicious-site.com issues a 302 HTTP Status code which redirects Joe Bloggs to http://my.website.com/change_password?new_password=abcde So his password gets changed, because this is coming from a live session, the request his from his own browser and sends the session cookie, and he doesn't see the image because it the return page isn't an image.
