Comment Re:Javascript means no dice (Score 1) 153
"Secondly, I can't take your rant seriously. At all. "
That's because you don't understand cross-site scripting vulnerabilities. At all.
Even if you made a perfect browser without vulnerabilities that implemented JavaScript to the exact EcmaScript specifications, you would still be vulnerable because the XSS vulnerabilities exist in the web applications, not the browser. The design of JavaScript enables this, because the separation between code and data is flimsy (you can insert JavaScript almost everywhere in HTML, with "on ..." events -- you don't even need a script tag); you couldn't do it unintentionally with a web browser that only understood Java, and a Java web application. JavaScript makes it very easy, just like C makes it easy to mishandle pointers and fixed length buffers. If C gets criticized for that, it's fair to criticize JavaScript for making XSS vulnerabilities easy. Microsoft's version of JavaScript is worse due to the insecure functionality (see http://www.quirksmode.org/js/intro.html) added *by design*. People keep getting surprised by the nasty stuff that standards-conforming, but malicious JavaScript can do, from simple stuff like undying windows (JavaScript spawns a new window every time it detects the closing event) from taking over your desktop, including exploiting intranet applications (recent example: http://www.phoneboy.com/node/6 ; original article at http://www.spidynamics.com/spilabs/education/artic les/JS-portscan.html). It's not surprising to me -- hostile code is much more powerful than hostile data (see below).
You also don't understand how much more difficult it is to process hostile code than hostile data. You point out vulnerabilities in handling data as proof that there are other dangers. Given these, and how much more difficult it is to safely handle code than data, you should agree that it is reasonable to highly distrust a browser's handling of JavaScript.
The more ignorant people are, the quicker they are to mock people pointing out security issues.
You also don't understand how much more difficult it is to process hostile code than hostile data. You point out vulnerabilities in handling data as proof that there are other dangers. Given these, and how much more difficult it is to safely handle code than data, you should agree that it is reasonable to highly distrust a browser's handling of JavaScript.
The more ignorant people are, the quicker they are to mock people pointing out security issues.
