Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 081037.html (Request Expert securityfocus.com Support)

Switching off scripts

From: Ingo Struck <ingo(at)ingostruck.de>
Date: Thu Aug 14 2003 - 09:54:31 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

Sorry, that may run out of scope, and I promise this is my last out-of-scope mail regarding the usage of client side scripts here... :o)

> > (That means that you should encourage all your users to switch off all
> > kind of scripting and don't rely on it within your apps).
>
> That's a bit extreme. Why not just fix the XSS hole.

Yep. Right. Of course the XSS hole needs to be fixed for all the users that use client side scripts or keep using it against better knowledge.

The background here is that I never experienced any merit from using client side scripting anyway: 

- - it induces additional security risks
- - it lowers usability significantly
- - it renders sites inaccessible most often
- - it has got severe compatibility problems in nearly any case
  (show me one reasonable script working on three different browsers without    any "if xyz==navigator.userAgent)

Client side scripting is a nuisance and it is unnecessary. If you want to have more client side functionality, consider building "distributed" applications rather than web applications.

Do you need help?X

Kind regards

Ingo

  • -- ingo@ingostruck.de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/O5SahQivkhmqPSQRAkNYAKC63oJeHreTUt1gb/1xvO3C3OkzQACguOEI z57EiWuLg0I7ZADUPPl5ycI=
=0vxH
-----END PGP SIGNATURE----- Received on Thu Aug 14 10:34:46 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:54 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library