>Hello? I don't think that should make any difference. I should be able
>to visit absolutely any website on the Internet without any danger to my
>computer or the data stored on it. Any browser which allows otherwise
>has a bug.
Then Javascript *as a language* is a bug.
>Javascript is not inherently a virus vector. Flawed
A virus vector is not the only security problem. Leaking
information to the web site is also a problem.
>implementations might be; the language itself is not.
Does the language allow Javascript to open a new window? Does the
language allow Javascript to trigger a function when a window is
closed? I believe the answer to both questions is YES. Then it
is possible to have a page that pops up two windows whenever you
close one. This isn't theoretical: I've seen someone demonstrate
this with certain nasty porn sites. The only way to recover was
to kill off the browser and restart it. (Clicking HOME apparently
fired off a cascade of closed windows which then opened more, running
the browser out of virtual memory.) Because of this, he lost work
in progress with another web site. (Apparently he accidentally
clicked on a banner ad which lead to this booby-trapped site.)
>Similarly for
>anything else. In reality, with a properly-configured, good quality
>operating system (probably a UNIX-type system), one ought to be able to
>run full native code without any danger to one's computer or data
>(think: under the NOBODY account on Linux).
If it can reveal my email address to any web site, it's a bug. If
it can access or alter my personal files or address book, it's a
bug. If it can generate hits on web sites other than that specified
in the HTML, it's a bug. If it can open sockets, it's a bug.
If it can look at or set cookies stored on my system, it's a bug.
If it can look at or alter the list of previously visited URLs, it's
a bug.
>> Browsers don't read unsolicited web sites. Email readers do, however,
>> read unsolicited email, and email from downright hostile correspondents.
>> And I consider "web bugs" and similar tracking methods to be a danger
>> for something that's supposed to be ONLY "formatted text".
Gordon L. Burditt
--
http://mail.python.org/mailman/listinfo/python-list
