Firefox security strategy (was: Firefox goodies)
Kevin D. Clark
kevin_d_clark at comcast.net
Thu Dec 29 14:38:01 EST 2005
Ben Scott writes:
> I'm not against all client-side scripting. I just think a web page
> should be limited to mucking around with itself only, and not be
> allowed to modify the window around it, or my system, or
> what-have-you. What those particular things I posted do is prevent
> web pages from doing things like turning off scroll bars, tool bars,
> and so on. Web designers seem to like to do that, either in a
> mis-guided attempt to make things "easier" or "pretty", or through
> overt desire to take control of my browser. Feh!
Sounds like we agree 100%.
> I regard NoScript and things like it (e.g., Internet Explorer's
> "Security Zones") as a kludge. While they're better then a system
> compromise, I think the *right* thing to do is design a system that is
> not inherently insecure.
At this point I'm jumping up and down, nodding my head in agreement.
> I don't know why so many programmers seem to
> think it's necessary for a web browser to be so programmable they can
> drop assembly code directly into my CPU or whatever.
Yes, I've met programmers who think that way. It is
always...interesting...to deal with people of this mindset.
> JavaScript
> should have been designed (or should be retro-fitted) such that it
> doesn't even have the capability to do risky things. We shouldn't
> need to have elaborate DOM security models; they just shouldn't be
> possible. (Of course, everybody's definition of "risk" is different,
> but there's gotta be some common ground in here somewhere.)
To me, you just described Java, but that's another thing entirely.
Regards,
--kevin
--
GnuPG ID: B280F24E
More information about the gnhlug-discuss
mailing list