Because it allows code selected by a third party to be executed on the client machine. _Any_ mechanism that allows this is a vector for viruses and other compromises of system security.
This is demonstrably not true. JavaScript can execute on a client machine without it necessarily compromising system security. The question is whether the browser places appropriate limits on the capabilities of the executing code.
Java, JavaScript and Flash all place such limits. In the JavaScript case, it's our responsibility, in the Java case, it's Sun's, and in the Flash case, it's Macromedia's.
If any of these people fail in their duty, then it's possible that system security could be compromised. But if they don't, it isn't.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
