[Python-talk] [js] Javascript Uber Alles? Is script without the sandbox a good idea?

Lloyd Kvam lkvam at venix.com
Tue Jul 3 19:32:04 EDT 2007


On Tue, 2007-07-03 at 16:45 -0400, Ben Scott wrote:
> On 7/3/07, Bill Sconce <sconce at in-spec-inc.com> wrote:
> > And from that standpoint there can be no other answer than
> > that Javascript is evil.
> 
>   "There is no such thing as security.  Only risk management."
> 
>   It can be argued (quite correctly, I think) that allowing arbitrary
> systems out in the world to send stuff for your computer to be
> interpreted in complex ways is always a very risky proposition.  And
> that's the case whether it's JavaScript or HTML.  HTTP, HTML and CSS
> are damn complex on their own. Even without implementation bugs (of
> which there are an apparently endless supply), there is ample
> opportunity for Bad Things to be done.  Why is interpreting JavaScript
> intrinsically more evil than interpreting HTML?  

HTML is simply a bunch of text tags.  Aside from meta-tags (e.g.refresh)
and some issues with image processing - which is really not part of
HTML, there is not much scope for attack (except perhaps via frames?).
There is always the possibility of an exploitable browser bug, but I
think the risk with open source browsers is reasonably low.

Javascript offers programmed access into local files (cookies),
connections to servers, generated text, and more.  Bugs in the sandbox,
programming errors, and general complexity open avenues for attack.

> And you put email
> into the picture, and geez...

And you keep automatic image loading off so that you don't notify the
spammers that you opened the email, Right??

Disabling javascript and flash is simply a way to control the use and
abuse of *my* computer when visiting other sites.  When necessary, I'll
allow sites to use javascript or flash, but it's my decision.

> 
>   This isn't just idle speculation.  There's good reason we don't
> permit computers with classified information on them be connected to
> the Internet.
> 
>   At the same time, there are some very real benefits to networked
> participation.  If there weren't, this Internet fad would have died
> out after the first few worms.  Cutting oneself off in the name of
> security isn't a very good solution for most.
> 
>   Whether the final ultimate solution is a better JavaScript sandbox,
> or something else entirely (maybe sandboxed Python -- ha!  on-topic!),
> I think this kind of thing is inevitable.

Oddly enough, I can often skip right through register-to-view-screens
and on to the "protected" content simply because the protection is
javascript code that verifies that the screen fields were filled in.
With javascript disabled, the submit button simply works.

> 
> -- Ben
> _______________________________________________
> Python-talk mailing list
> Python-talk at dlslug.org
> http://dlslug.org/mailman/listinfo/python-talk
-- 
Lloyd Kvam
Venix Corp.
1 Court Street, Suite 378
Lebanon, NH 03766-1358

voice:  603-653-8139
fax:    320-210-3409



More information about the Python-talk mailing list