>If the javascript contains an XMLHTTPRequest object, it can call out >to a different server (than the one you are visiting) without your >explicit knowledge, download content, and do basically whatever the >user the browser is running as can do,
I'm aware. This object is in practice transformed browser to application platform. >barring browser sandboxing, If it is leaking, yes. >etc...and that's not the only way javascript can be used maliciously These are called security holes. >There is good reason not to explicitly trust javascript or any other >browser plugin that allow the remote site to execute code on your >machine. Unfortunately, we are living world where almost all applications are nowadays writen with Javascript or compiled to Javascript. And it is matter of time when rest of the issues are solved which prevents it using ~everywhere to reduce server load. For that reason, it is not beneficial to avoid Javascript. Instead it useful to think how it can be run securely. Javascript is todays C.