Firefox security strategy (was: Firefox goodies)
Ben Scott
dragonhawk at gmail.com
Thu Dec 29 14:17:01 EST 2005
On 12/29/05, Bill McGonigle <bill at bfccomputing.com> wrote:
> ... Check out NoScript ...
On 12/29/05, Kevin D. Clark <kevin_d_clark at comcast.net> wrote:
> JavaScript can be grubby, but it also enables things like AJAX, which
> can be genuinely useful/neat.
Heh. I was wondering if this would happen. :)
I'm not against all client-side scripting. I just think a web page
should be limited to mucking around with itself only, and not be
allowed to modify the window around it, or my system, or
what-have-you. What those particular things I posted do is prevent
web pages from doing things like turning off scroll bars, tool bars,
and so on. Web designers seem to like to do that, either in a
mis-guided attempt to make things "easier" or "pretty", or through
overt desire to take control of my browser. Feh!
I regard NoScript and things like it (e.g., Internet Explorer's
"Security Zones") as a kludge. While they're better then a system
compromise, I think the *right* thing to do is design a system that is
not inherently insecure. I don't know why so many programmers seem to
think it's necessary for a web browser to be so programmable they can
drop assembly code directly into my CPU or whatever. JavaScript
should have been designed (or should be retro-fitted) such that it
doesn't even have the capability to do risky things. We shouldn't
need to have elaborate DOM security models; they just shouldn't be
possible. (Of course, everybody's definition of "risk" is different,
but there's gotta be some common ground in here somewhere.)
-- Ben
More information about the gnhlug-discuss
mailing list