W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2004

[whatwg] Loading custom XML UI definitions from an external file

From: Didier PH Martin <martind@netfolder.com>
Date: Wed, 09 Jun 2004 16:17:52 -0400
Message-ID: <000001c44e5e$d7d04720$c801a8c0@DIDIERHOME>
Hi Jose,

> <quote>
> 6.3 Ensure that pages are usable when scripts, applets, or other
> programmatic objects are turned off or not supported. If this is not
> possible, provide equivalent information on an alternative accessible
> page. [Priority 1]
> </quote>
> 

At first I thought you where speaking of people with disabilities. 

I guess to support the 6.3 requirement, there is no other choices that the
new capacities have to be included into the browser. Otherwise we are
talking about dead documents not live applications. 

In fact the solution is not to turn off the javascript but to provide a
better sandbox to run the javascript. With the recent updates, even in IE,
this is getting better and better. I can hardly see a rich web application
environment without a scripting language to resolve the impedance mismatch
between the model and the interactors, this can be made feasible for simple
controls but not for more complex apps. Take for example VoiceXML, it is a
declarative language. However, most of the sophisticated applications I know
are using scripts (ECMAScript) to compensate for what is not included in the
language. Therefore VoiceXML is more versatile. How VoiceXML manufacturers
responded to the potential threat presented by scripts, by re-enforcing the
sandbox and allowing the scripts to manipulate a limited set of objects.

Now, if the scrips can access only the objects offered by the browser I
hardly see how the script can corrupt your disk drive or inject a virus. If
it can do that it's because it has access to an object to will allow it do
to that. For example, in the case of outlook, scripts could get access to
outlook object that where potential threats.

In the context of IE, you can set security level for different zones. So we
set it to disable script from the internet and enable them for the intranet.
At least it is possible to run web apps within the firewalls. This is in
case people paranoid about a script is given access to some objects leading
to some harm to your system.

Now, does anyone know an object (in javascript) that can cause any harm
without user knowledge? In IE try the filesystem object and see what you get
(a pop up stating the potential harm), try to access a frame coming from a
different domain than one and see what it does.... same thing if you have an
anti-virus app et get a virus in you mail, guess what happens, Do you stop
using the mail because you may have a virus? No instead you use an
anti-virus that notifies you it found a virus. Do you stop crossing the
streets because a car may hit you? Probably not. So,

Are we overreacting here?

Cheers
Didier PH Martin
Received on Wednesday, 9 June 2004 13:17:52 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:34 UTC