On Mon, Mar 2, 2009 at 3:25 PM, Michael A. Peters <mpet...@mac.com> wrote:

> And more and more people are using something like noscript to block it
> because XSS hacks are out of control. It is too easy to publish a website
> and too many web developers only care about their own data, they don't care
> about protecting users from malicious content.

"More and more" ... yes, a handful a day. The vast majority of users
don't. Just like people going insane about cookie security. It's the
uninformed and paranoid spreading FUD. I have Javascript, Java, Flash
and Gears all enabled on my browsers - I have zero issues. I enjoy the
capabilities that Flash and Gears add too, and nowadays almost every
website relies on Javascript for something.

> That's why more and more users who have flash installed are not letting web
> sites execute it (or anything).

Got some stats/URLs for this?

> If you are youtube, it is reasonable to require the user have flash
> installed. Otherwise there's a good chance they won't.

Interesting. Flash has a 96% or some sort penetration, and it is not
usually based on a per-site basis. Why is youtube the only site
someone would allow Flash on? More and more websites are turning to
rich media, with Flash being the defacto standard. Go to almost any
major website, and if the content itself doesn't have Flash mixed in,
the banner ads and other functionality does.

> I don't let a site execute flash in my browser unless I'm sure I need it to
> get what I want. Sites that code in flash that don't need to, I'm not going
> to open up myself to possible XSS exploits just because they chose to make
> their site only work when I open up my browser to vulnerabilities.

Only the paranoid survive... I also don't drive on days ending with
"y" because of the chance of an automobile accident.

> Many corporate environments are now also mandating that flash and javascript
> be disables as well because of the XSS dangers.

Funny, I work for a fortune 50 company and Java is mandatory on our
machines due to the intranet applications which require applet

> Use Javascript to make life easier on those who have it enabled but if
> things don't work peachy without it, you are doing it wrong.

Gears is basically extensiosn to Javascript with some security baked
in... so thank you for further reiterating my point.

> Use flash for what really genuinely requires flash, and file upload isn't
> one of them.

Agreed. It's just another applet option. Just like ActiveX or Java.

> If I attached "somefile.exe" and told you to run it, would you?
> Web masters who require the user to allow execution are doing just that, and
> users who allow such execution of code they know nothing about are, to be
> blundt, fools and easy targets.

Last I checked, Flash applets aren't very insecure. Java is a bit
easier. ActiveX is very easy.

It's all about the installation and the user.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to