Re: Spyglass HTML Validator 1.0 Availability

F. E. Potts (fepotts@fepco.com)
Fri, 18 Oct 1996 14:42:27 -0600


Date: Fri, 18 Oct 1996 14:42:27 -0600
From: fepotts@fepco.com (F. E. Potts)
Message-Id: <96Oct18.144420mdt.18433@gw2.fepco.com>
To: preece@predator.urbana.mcd.mot.com
Subject: Re: Spyglass HTML Validator 1.0 Availability
Cc: www-html@w3.org

 From: fepotts@fepco.com (F. E. Potts)
| 
| Yes, there have been problems with JavaScript:
| 	
| 	http://www-genome.wi.mit.edu/WWW/faqs/wwwsf7.html#Q61
| 
| 	http://www.osf.org/~loverso/javascript/
| 
| While some of the problems associated with JavaScript have been fixed,
| others have not, and new ones are waiting to be found.  To me,
| JavaScript is about as buggy as Sendmail, and needs to be treated with
| equal care.
---

On Fri, 18 Oct 1996 13:38:45 -0600, Scott E. Preece replied:
> f/w/i/w, the first reference reports on Netscape 2.01 as the latest
> release and the second reference seems to say that all the security
> problem he found were fixed in the 3.0 betas.  It would be
> interesting to get an up-to-date summary on whether any security
> problems are known in Netscape 3.0's implementation of JavaScript.

Yes, those problems that were noted were mostly fixed in 3.0.  However,
the <em>history</em> of the JavaScript security bugs is such that with
each new release the latest bugs were said to be fixed (and this often
later turned out to be wrong).  Which is why I treat JavaScript as I do
Sendmail.

What it gets down to is that it all depends on what your data, or your
network, is worth as to how careful you will be regarding security
matters.  And beyond this, there is the cultural element: historically,
the Unix community has taken security matters quite seriously (perhaps
because of its long history with TCP/IP networks), while the PC
community (perhaps for the opposite reason) has a tendency to mostly
just ignore the subject.

I haven't bothered to look at the JavaScript security situation much
lately, because IMO the basic security model JavaScript operates under
is flawed (Java, in this respect, is much better, but it too is still
problematic).  So I just keep JavaScript turned off in the Netscape UAs
that are under my control, while wishing I could turn off the maddening
cookies as easily.  :-(

-fep

--
fepotts@fepco.com
http://www.fepco.com/