On Fri, Dec 20, 2002 at 09:15:00AM -0800, Ian Clarke wrote: > On Fri, Dec 20, 2002 at 03:26:13PM +0000, Cruise wrote: > > Because of course your average user will tell the difference between > > javascript on a Freesite (bad) that appears when they click a link, > > from javascript on a download page (good) that appears when they > > click a link. > > Generally speaking, if someone has found a hole in the FProxy filter, > and they plan to compromize someone's security through Javascript, they > aren't going to advertise that fact by making a window pop up! > > What exactly is the user supposed to think on seeing a window appear > that is so completely terrible? The worst they can think - "hey, a > window can only appear with Javascript and javascript in a freesite is > bad, I had better email support at freenetproject.org" is: > a) Unlikely > b) Harmless No, the worst is that they assume that javascript is okay, and either a) use it in their freesite, trip the filter, and learn better and/or b) figure out that javascript could be harmful and come talk to us about it.
Either way, we lose very little. > > > It's not that javascript is bad. It's not that your method is bad. > > Far from it. It's just that a lot of people will have trouble telling > > the difference between stuff that is and stuff that isn't. Rather > > than risk them accepting everything, surely it would be better to > > accept nothing, and loose a tiny bit of visual nicety? > > That doesn't make sense. > > If someone is maliciously using Javascript in a freesite the user is > unlikely to see any physical manifestation of it anyway, so what exactly > is being lost here? > > Ian. > > -- > Ian Clarke ian@[freenetproject.org|locut.us|cematics.com] > Latest Project http://cematics.com/kanzi > Personal Homepage http://locut.us/ -- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20021220/8b8096dc/attachment.pgp>
