Gervase Markham writes: > This is demonstrably not true. JavaScript can execute on a client > machine without it necessarily compromising system security.
No, it cannot. Nothing that executes code on the client machine is completely secure. Therefore you must have a way to disable any such code execution. However, since executing code on the client machine is so useful in so many cases, you need to be able to enable it for certain sites while simultaneously disabling it for others. > The question is whether the browser places appropriate limits on the > capabilities of the executing code. If you have flexibility in configuring security, you don't have to ask that question. And since you don't know the answer to that question until security is breached (at which point it's too late), being able to flexibly configure security is essential. > Java, JavaScript and Flash all place such limits. In the JavaScript > case, it's our responsibility, in the Java case, it's Sun's, and in the > Flash case, it's Macromedia's. No. The responsibility is with the browser author, who must provide ways to disable potentially insecure content from potentially insecure sources. You're making exactly the same argument that Microsoft has made in the past. I saw through it then, and I see through it now. > If any of these people fail in their duty, then it's possible that > system security could be compromised. But if they don't, it isn't. The problem is that most of us cannot afford to discover such compromises the hard way. There has to be a way of preventing them from ever occurring. -- Anthony _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
