- From: David Bruant <bruant.d@gmail.com>
- Date: Fri, 10 Aug 2012 20:25:24 -0400
- To: Erik Reppen <erik.reppen@gmail.com>
- Cc: whatwg@lists.whatwg.org, "Tab Atkins Jr." <jackalmage@gmail.com>
Le 10/08/2012 20:06, Erik Reppen a écrit :
> Sorry if this double-posted but I think I forgot to CC the list.
>
> Browser vendor politics I can understand but if we're going to talk about
> what "history shows" about people like myself suggesting features we can't
> actually support I'd like to see some studies that contradict the
> experiences I've had as a web ui developer for the last five years.
>
> Everybody seems on board with providing a JavaScript strict mode. How is
> this any different?
JavaScript strict mode enables to make a JavaScript program secure
(there is some additional work to do, but you can do it yourself as a
programmer) while it's almost impossible to write a secure program in
non-strict JavaScript because of scope-violating (indirect) eval.
JavaScript strict mode is almost a different language with that regard.
The ability to write securable JavaScript required an intervention at
the language level.
HTML has no such thing to win with a strict mode as far as I know.
Also, JS strict mode deals with runtime and not syntax (with statement
aside). That's far different from what could be expected from an HTML
strict mode.
To some extent, CSP ("Content Security Policy", about to reach
Recommandation stage soon) is your "HTML strict mode" if you care about
security.
David
Received on Saturday, 11 August 2012 00:25:55 UTC