On Dec 18, 2014, at 2:42 PM, Ron W <ronw.m...@gmail.com> wrote: > On Thu, Dec 18, 2014 at 4:20 PM, Warren Young <w...@etr-usa.com> wrote: > With today’s fast CPUs, Ajax lets us bring back the native client, for all > practical purposes. > > My concern about JS (and Java) is that it is too powerful.
Don’t lump JavaScript and Java together. They have vastly different capability sets, with entirely different lineages. They only share part of a name due to an accident of history, not because they are in any way similar. > web browsers are not properly "sand boxing" active content like JS. [citation needed] Two JS files served from different domains cannot communicate or interfere with each other. That means if I use the same password for Fossil as for, say, Gmail, a tab opened to www.bad-actor.ru will not be able to steal my Fossil password and thereby get into my Google account. That sounds like sandboxing to me. There have been bugs, but bugs have been fixed. :) In any case, if you cannot trust JS served by Fossil, you probably can’t trust it with the files you have checked into it, either. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users