Blog feeds may carry security risk

TalkBack 6 of 9:

Next »

« Previous

• Thread View
• Flat View

This is all a Bunch of Crap

Frankly, IE + Javascript != a security risk.

IE has plenty of problems, that is, ActiveX problems. JavaScript, however, is not a threat. If JavaScript is a threat, then so are Java applets, which also run on one's local machine, as are ActionScripts, which, again, also run on one's local computer. All can send data back to the server whence they originated.

I think that the latest brouhaha over JavaScript is uninformed and alarmist.

There may be a few things that, perhaps, shouldn't be allowed in JavaScript, like the transmission of a user's "real" IP address back to a server, though I think that's pretty minor. Beyond that, JavaScript cannot write anything more than non-executable "cookie" data to the local HDD. JavaScript is limited to cookie data associated with the domain which served up the given page. JavaScript cannot take control of a person's computer. It is enclosed in the browser's memory bubble. It is not capable of writing directly to memory. It is not permitted to write to memory outside of its enclosure, which is cleared out as soon as the web page is closed. It is not permitted to invoke "AJAX" style get requests to machines other than the one which served up the web page housing the given JavaScript. I suppose one could submit a get request through a hidden form or inline frame contained in an HTML document, instead of using the xmlhttprequest (or whatever it's called) object. Then again, forms have always be able to send data back to a server other than the one which served up the original web page, without JavaScript, by the way.

JavaScript has been refined, several times, to limit what kind of data are sent back to a server. For example it used to be that a JavaScript could be invoked, informing the "current" server of the next web page which a user's browser was about to select, upon "exiting" the "current" web page. They got ridda that a long freakin' time ago 'cause it did invade a person's privacy. (Some people don't want a given content provider to know that they're also into KKK websites or S&M or gambling or Islamic Jihadist stuff... I visit them all, by the way, and I'm proud of it. I especially like watching the latest beheadings out of Iraq on ogrish.com. Members of Ansar Al Sunnah are the most handy with knives. Now you know my viewing patterns. Big deal!)

So, to the idiot who wrote this article: shut up.

Oh yeah, you wanna get really scared? Have you ever considered that everytime you run Google's in-browser spell checker, you're sending your data entry back to the Google Empire? With some of the things I've typed, the next thing I know, the FBI will be knocking at my door for something I've authored. Oh, wait a minute. That's already happened!

=>PW

Posted by: prwexler@...   Posted on: 08/04/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
• Using the Dell 2161DS Remote Console Switch to Control Data Center Servers Dell The Dell 2161DS Remote Console Switch combines local and remote access ... Download Now
• DB2 for the Oracle DBA Quest Software In today's tough economy, IT departments are faced with smaller budgets ... Download Now