Gervase Markham writes:This is demonstrably not true. JavaScript can execute on a client machine without it necessarily compromising system security.
No, it cannot. Nothing that executes code on the client machine is completely secure.
Please argue with what I say, not with what you'd like me to say. In particular, note the word "necessarily", and the rest of my explanation.
Java, JavaScript and Flash all place such limits. In the JavaScript case, it's our responsibility, in the Java case, it's Sun's, and in the Flash case, it's Macromedia's.
No. The responsibility is with the browser author, who must provide ways to disable potentially insecure content from potentially insecure sources.
It's also our responsibility - in that, if there's a hole in the Java plugin, depending on the severity we might decide to have Firefox refuse to run with vulnerable versions.
But first and foremost it's Sun's responsibility to write the plugin without holes.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
