[Python-talk] [js] Javascript Uber Alles? Is script without the sandbox a good idea?

Ben Scott dragonhawk at gmail.com
Tue Jul 3 16:45:24 EDT 2007


On 7/3/07, Bill Sconce <sconce at in-spec-inc.com> wrote:
> And from that standpoint there can be no other answer than
> that Javascript is evil.

  "There is no such thing as security.  Only risk management."

  It can be argued (quite correctly, I think) that allowing arbitrary
systems out in the world to send stuff for your computer to be
interpreted in complex ways is always a very risky proposition.  And
that's the case whether it's JavaScript or HTML.  HTTP, HTML and CSS
are damn complex on their own. Even without implementation bugs (of
which there are an apparently endless supply), there is ample
opportunity for Bad Things to be done.  Why is interpreting JavaScript
intrinsically more evil than interpreting HTML?  And you put email
into the picture, and geez...

  This isn't just idle speculation.  There's good reason we don't
permit computers with classified information on them be connected to
the Internet.

  At the same time, there are some very real benefits to networked
participation.  If there weren't, this Internet fad would have died
out after the first few worms.  Cutting oneself off in the name of
security isn't a very good solution for most.

  Whether the final ultimate solution is a better JavaScript sandbox,
or something else entirely (maybe sandboxed Python -- ha!  on-topic!),
I think this kind of thing is inevitable.

-- Ben


More information about the Python-talk mailing list